[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Sean Donelan sean at donelan.com
Thu Jul 10 17:19:27 UTC 2008

On Thu, 10 Jul 2008, Michael Monnerie wrote:
> On Donnerstag, 10. Juli 2008 Otmar Lendl wrote:
>> In his experience, users simply ignore those warnings.
> Of course. Because they just cannot understand what the message on the
> screen means. It's like you make a complete medical check and get the
> results in doctor's language (latin TLDs and such). After all, what
> should the user do? If he clicks no, he cannot do netbanking. So he'll
> try again and click yes, and it (seems to) work. Programs would have to
> deny access and display the telephone number of the hotline, that would
> be the only help.
> Every day I see end users doing the wrong thing. Otherwise the virus
> problem would be negligible.

Yep, that's why I chuckled when I saw ISC claiming DNSSEC was "the
definitive solution."

Even assuming DNS registries have any better security for checking DNS 
changes before they sign the data (click here to e-mail the password you 
forgot, or send a request on company letterhead), and assuming DNS users 
understand/don't ignore/don't disable DNSSEC warnings (some people 
turnoff UDP checksums for better performance), and so on....

Is ISC engaging in a bit of P.R. puffery talking about "the only full 
solution" to scare people to use DNSSEC.  ISC's previous vulnerability
disclosures don't hype DNSSEC.

More information about the dns-operations mailing list