[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Patrick W. Gilmore patrick at ianai.net
Thu Jul 10 04:57:55 UTC 2008

On Jul 10, 2008, at 12:27 AM, Paul Vixie wrote:

>> ...  But I still cringe when people talk about a decade old problem  
>> and
>> say "look, I found a new thing about an exploit from the 90s which  
>> hasn't
>> really changed, you should fix NOW NOW NOW!"

> in 2002 i also attempted to demystify BCP38 since we all know that  
> without
> IP source address repudiability, no noncrypto UDP based protocol is  
> safe:
> http://www.icann.org/committees/security/sac004.txt

I don't think any sane person disagrees that BCP38 is vital.

> so, patrick and others, let me assure you, having been here all  
> along and
> having done what i could to secure the DNS QID for ~1.5 decades, i  
> am aware
> of the details of dan kaminsky's attack, and it will be news on  
> august 6,
> and it justifies every bit of pain and panic involved in randomizing  
> all UDP
> source ports on DNS transactions between recursive and authority  
> servers.
> and let me take another opportunity to thank dan bernstein for  
> coming up
> with the idea of UDP source port randomization for DNS  
> transactions.  we
> know it works and we're pushing hard to get it universally  
> deployed.  (while
> i'd rather have Secure DNS, the community could not possibly deploy  
> that
> fast enough, so we're doing what we can while we can.)
> so, you should fix it NOW NOW NOW!

Like I said (in the part where you have "..."), I agree the fix should  
be applied.  Sorry if that wasn't clear.

But I still reserve the right to give you a gigantic raspberry if the  
"exploit" turns out to be something every single person on this list  
realized before we finished reading the advisory (and many of us  
though of years earlier but were too lazy to do anything about it).

I'd say more, but I have to go upgrade some servers. :-)


More information about the dns-operations mailing list