[dns-operations] AT&T DNS Cache Poisoning?

Roy Arends roy at dnss.ec
Sun Oct 28 21:58:48 UTC 2012 

On Oct 28, 2012, at 7:40 AM, bert hubert <bert.hubert at netherlabs.nl> wrote:

> On Sat, Oct 27, 2012 at 11:43:40PM -0700, David Conrad wrote:
>>> It appears that source port randomization works. 
>> 
>> Was there ever any doubt?  The question wasn't (isn't?) whether source
> 
> Yes, people used the Kaminsky hack as a way to push DNSSEC. 

DNSSEC does not defend against the Kaminsky hack?

> So perhaps doubt was *instilled*.

Does port randomisation work against a MITM attack?

>> making the communication channel irrelevant.  IMHO, it is a better
>> long-term solution (folks who know my opinion on DNSSEC may now require
>> smelling salts).
> 
> As an implementor, after two years, we keep finding DNSSEC corner cases that
> make the authors of the very RFCs swoon. 

As the co-author of the DNSSEC RFCs (4033/4034/4035/5155), I have yet to be swooned by any of the DNSSEC corner cases you've found. 

> The effort of implementing everything correctly is just staggering, our
> number of regression tests is exploding just to try to keep everything in
> check.

Isn't the number of regression tests related to the number of bugs introduced?

> It might have been easier all round to just start from scratch and not
> pretend that this is 'an enhancement of DNS'.

BIND9 was started from scratch with the main purpose of adding DNSSEC. NSD2/3/4 and Unbound(Java/C) and BIND10 were started from scratch with DNSSEC support. I agree that adding DNSSEC to vanilla code is much harder. 

> The length of the DNSSEC RFCs
> exceeds the length of the standardizing RFCs of DNS.

Not at all, both 1034 and 1035 are longer that 4034 and 4035. There is an awful lot of non-dnssec standards that update 1034 and 1035 that I could add, but I think I've already proven my point.

> By the way, I know some people will immediately chime in DNSSEC isn't that
> hard, but you won't hear an implementor among them…

As an implementer, I would not say that DNSSEC isn't that hard. It is not rocket science either.

Warm Regards,

Roy

More information about the dns-operations mailing list