[dns-operations] DNS issue accidentally leaked?

Alperovitch, Dmitri dmitri_alperovitch at securecomputing.com
Tue Jul 22 05:00:40 UTC 2008

How is this attack really different from the birthday attack described by
Joe Stewart and others in 2002?  Perhaps a slide variation on it but I
wouldn't call it earthshakingly new...

Side question: do most DNS implementations allow you to overwrite the cached
record before the TTL runs out?  If not, I would think that this attack will
not really be as powerful as it might seem (i.e. it would be pretty hard to
poison the glue for google.com since it would be nearly always cached by any
nameserver serving even a few users)



Dmitri Alperovitch
Director, Intelligence Analysis and Hosted Security
Secure Computing Corporation

-----Original Message-----
From: dns-operations-bounces at mail.oarc.isc.org
[mailto:dns-operations-bounces at mail.oarc.isc.org] On Behalf Of David Dagon
Sent: Tuesday, July 22, 2008 12:42 AM
To: Matthew Pounsett
Cc: dns-operations at mail.oarc.isc.org
Subject: Re: [dns-operations] DNS issue accidentally leaked?

On Mon, Jul 21, 2008 at 07:34:53PM -0400, Matthew Pounsett wrote:

>  Not so accidentally.  It appears (to me) to be a deliberate
> self-aggrandizement move by one particular security speculator.  The
> posting

I thought this as well originally.  But it appears to have been an
"accidental" blog post.

The post originally appeared at:


It was evidently put up in error.  The blog owner, Thomas Ptacek,
originally drafted story that was ready to be posted in August.  But
it was then published by an "E.Copeland" on the blog.  (Some analysis
via LinkedIn/Facebook suggests E.Copeland is Erin Ptacek, perhaps the
wife of the blog owner.)

The post was taken down (but is cached in countless RSS feeds and
pastebin pages).  Thomas Ptacek then posted an apology:


Note that the apology confirms the validity/accuracy of the story
easily found in so many RSS caches.  

So while I don't know if the post was deliberate, it was clearly
negligent at best.  Moreover, the apology adds to the harm by
confirming the validity of the approach.  (I.e., among all the
speculations on the Internet, this one has been self-identified as the
"right answer", thanks to the apology; attackers need look no

Thus, I think DNS operators should best assume the details have been
divulged (and then validated); code will surely follow.

David Dagon              /"\                          "When cryptography
dagon at cc.gatech.edu      \ /  ASCII RIBBON CAMPAIGN    is outlawed, bayl
Ph.D. Student             X     AGAINST HTML MAIL      bhgynjf jvyy unir
Georgia Inst. of Tech.   / \                           cevinpl."
dns-operations mailing list
dns-operations at lists.oarci.net

More information about the dns-operations mailing list