[dns-operations] DNS issue accidentally leaked?

Paul Vixie vixie at isc.org
Tue Jul 22 18:10:42 UTC 2008


> >The difference is its use of additional RR records. The request is for 
> >some arbitrary sub domain like 12345.google.com, but your spoofed 
> >response also includes the record for www.google.com
> 
> Which is also decades old and well known.  So at best, it's a 'new' attack
> that is a combination of 2 well-known/documented ones. Maybe I am somewhat
> disappointed because I expected a second coming/something truly novel
> (please note that I'm not discounting the seriousness of the issue, just
> commenting on its apparent novelty)

downplay this all you want, we can infect a name server in 11 seconds now,
which was never true before.  i've been tracking this area since 1995.  don't
try to tell me, or anybody, that dan's work isn't absolutely groundbreaking.

i am sick and bloody tired of hearing from the people who aren't impressed.
every time some blogger says "this isn't new", another five universities
and ten fortune 500 companies and three ISP's all decide not to patch.
that means we'll have to wait for them to be actively exploited before they
will understand the nature of the emergency.

perhaps dan's defcon talk will open some remaining eyes among those glued
shut by the pride and prejudice of the minds behind them.  i am stunned,
absolutely stunned, that there was a ready-to-go blog posting sitting in
clear text on a network connected machine, written by tom ptacek who had
whined about how the hacker community needed to be in the loop, waiting for
the "publish" button to be hit "accidentally" by his wife.  is this how the
community rewards dan for trying to buy us all some time to protect the
infrastructure?  is this how the community plans to incentivize slow and
careful disclosure of the next big flaw?

we've exited another era in the disclosure debate, and not even dan knew it.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the dns-operations mailing list