[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Paul Vixie vixie at isc.org
Thu Jul 10 04:27:39 UTC 2008

> ...  But I still cringe when people talk about a decade old problem and
> say "look, I found a new thing about an exploit from the 90s which hasn't
> really changed, you should fix NOW NOW NOW!"

this is not a decade old problem.  it's either as old as dns, or four months
old, depending on how you count.  somebody reminded me that i was one of the
earliest to ring an alarm bell on this, in a very weak, terrible 1995 paper:


in 2002 i also attempted to demystify BCP38 since we all know that without
IP source address repudiability, no noncrypto UDP based protocol is safe:


so, patrick and others, let me assure you, having been here all along and
having done what i could to secure the DNS QID for ~1.5 decades, i am aware
of the details of dan kaminsky's attack, and it will be news on august 6,
and it justifies every bit of pain and panic involved in randomizing all UDP
source ports on DNS transactions between recursive and authority servers.

and let me take another opportunity to thank dan bernstein for coming up
with the idea of UDP source port randomization for DNS transactions.  we
know it works and we're pushing hard to get it universally deployed.  (while
i'd rather have Secure DNS, the community could not possibly deploy that
fast enough, so we're doing what we can while we can.)

so, you should fix it NOW NOW NOW!

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the dns-operations mailing list