[dns-operations] summary of recent vulnerabilities in DNS security.

[Keith Mitchell]

On 10/21/2013 11:04 AM, Colm MacCárthaigh wrote:

>> remembering that the vulnerabilities you are reporting and the 
>> workarounds you're recommending will be judged according to 
>> engineering economics. if we assume that dnssec is practical on a 
>> wide enough scale that it could prevent the vulnerabilities you
>> are reporting on, then your work is of mainly academic interest.
>> as vernon said earlier today, none of the vulnerabilities you are 
>> reporting on have been seen in use. i also agree with vernon's 
>> assessment that none of them will ever be seen in use.
> 
> Back before Kaminsky made the need for port-randominsation undeniable
> with an actual working PoC, this sounds like the ISC/Bind response to
> port randomisation attacks. Other implementors and operators made a
> better judgement avoided the problem entirely, taking the cautious
> path.

Then ISC/BIND response to Kaminsky in 2008 was to burn perhaps 50% of
the company's product-wide development and support resources over that
year to co-ordinating, fixing, disclosing, patching, releasing and
evangelizing the solution to the problem. While at the time it felt to
us like great public benefit work was being done for the community, even
by the end of that year it was becoming clear it was not a particularly
great business decision.

Applying the same 5-years' now-outside hindsight to this, the benefits
of all that port randomization work seem murky at best - does anyone
have data on many real Kaminsky cache-poisoning attacks took place in
that time ? The Herzberg/Shulman attacks seem even harder to exploit in
a real (as opposed to la) environment

Disclosing such potential vulnerabilities remains valuable work, but I
think careful consideration needs to be applied to the engineering
economics of the best operational-world mitigation approaches.

Keith