[dns-operations] bogus claims arising from Nominum marketing drivel

bert hubert bert.hubert at netherlabs.nl
Wed Sep 23 10:58:52 UTC 2009

On Wed, Sep 23, 2009 at 12:27 PM, Jim Reid <jim at rfc1035.com> wrote:
>> and also don't count CVE-2008-1447 (which ironically didn't affect
>> "freeware" implementations like djbdns, PowerDNS, and MaraDNS)...
> This statement is also misleading because it doesn't tell the whole story.
> Some DNS implementations were more vulnerable to the Kaminsky attack than
> others. That wasn't news then or now. The root cause of that is the DNS
> protocol itself. That's not news either. The implementations on your chosen
> are not immune from cache poisoning. They just were lucky enough not to
> succumb to one particular flavour of cache poisoning attack.

Jim, much as I respect your DNS knowledge, those implementations
weren't "lucky".  As the saying goes, "the more I practice, the
luckier I get". It was negligent to only rely on the 16 bit id field
to recognize answers.

Also, since that time, people have failed spectacularly in spoofing
source port randomised nameservers - see http://tinyurl.com/powerdns
for why this might be (which also outlines the real risk of the 'slow

That Nominum branded itself post-Kaminsky as the "saviour of the net"
because they copied what more responsible nameservers had been doing
for ages is also not helpful.

Google will find the "Nominum DNS Protects 120 Million From New Risk"
article for you. The sheer guts.

But, wrapping up, like you said marketing is marketing. But this
stance of Nominum is unhelpful to say the least. It will probably not
help them in any way in cooperating with the "freeware legacy dns
industry" also known as the DNS community. But perhaps they are not


More information about the dns-operations mailing list