[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning
Patrick W. Gilmore
patrick at ianai.net
Thu Jul 10 01:13:54 UTC 2008
On Jul 9, 2008, at 8:26 AM, bert hubert wrote:
> On Wed, Jul 09, 2008 at 10:42:17AM +0000, Lutz Donnerhacke wrote:
>> * Duane Wessels wrote:
>>> http://www.kb.cert.org/vuls/id/800113
>>> Recent additional research into [DNS defects and deficiencies]
>>> and methods of combining them to conduct improved cache poisoning
>>> attacks have yielded extremely effective exploitation techniques.
>>
>> That is very weak claim. Poisoning is not a new problem. What is
>> really new?
>
> I'd worry, if I were you. "Trust the story". Once the story breaks,
> you'll
> be able to test this for yourself.
The last time we had something like this was the BGP/MD5 fiasco. We
were told to trust the messengers, it was horrifically bad, the
Internet was about to die.
In that case, the cure was (literally) infinitely worse than the
disease. (Cumulatively, years of session downtime due to
implementation of and problems with MD5 vs. _ZERO_ downtime due to the
supposed problem. And we still have people going down to this very
day over MD5 issues.)
To be honest, I think this is worse than that, so I agree mitigation
steps should be taken. Plus the mitigation has far, far less
likelihood of causing downtime. But I still cringe when people talk
about a decade old problem and say "look, I found a new thing about an
exploit from the 90s which hasn't really changed, you should fix NOW
NOW NOW!"
--
TTFN,
patrick
More information about the dns-operations
mailing list