[dns-operations] DNS issue accidentally leaked?

Roy Arends roy at dnss.ec
Tue Jul 22 19:16:49 UTC 2008


On Jul 22, 2008, at 8:10 PM, Paul Vixie wrote:

>>> The difference is its use of additional RR records. The request is  
>>> for
>>> some arbitrary sub domain like 12345.google.com, but your spoofed
>>> response also includes the record for www.google.com
>>
>> Which is also decades old and well known.  So at best, it's a 'new'  
>> attack
>> that is a combination of 2 well-known/documented ones. Maybe I am  
>> somewhat
>> disappointed because I expected a second coming/something truly novel
>> (please note that I'm not discounting the seriousness of the issue,  
>> just
>> commenting on its apparent novelty)
>
> downplay this all you want, we can infect a name server in 11  
> seconds now,
> which was never true before.  i've been tracking this area since  
> 1995.  don't
> try to tell me, or anybody, that dan's work isn't absolutely  
> groundbreaking.
>
> i am sick and bloody tired of hearing from the people who aren't  
> impressed.
> every time some blogger says "this isn't new", another five  
> universities
> and ten fortune 500 companies and three ISP's all decide not to patch.
> that means we'll have to wait for them to be actively exploited  
> before they
> will understand the nature of the emergency.
>
> perhaps dan's defcon talk will open some remaining eyes among those  
> glued
> shut by the pride and prejudice of the minds behind them.  i am  
> stunned,
> absolutely stunned, that there was a ready-to-go blog posting  
> sitting in
> clear text on a network connected machine, written by tom ptacek who  
> had
> whined about how the hacker community needed to be in the loop,  
> waiting for
> the "publish" button to be hit "accidentally" by his wife.  is this  
> how the
> community rewards dan for trying to buy us all some time to protect  
> the
> infrastructure?  is this how the community plans to incentivize slow  
> and
> careful disclosure of the next big flaw?
>
> we've exited another era in the disclosure debate, and not even dan  
> knew it.

+1 !

A completely share your sentiment.

Roy



More information about the dns-operations mailing list