[dns-operations] summary of recent vulnerabilities in DNS security.

Mon Oct 21 16:20:54 UTC 2013

On 21 Oct 2013, at 16:54, Keith Mitchell <keith at smoti.org> wrote:

> Applying the same 5-years' now-outside hindsight to this, the benefits
> of all that port randomization work seem murky at best -

There was/is a vulnerability and it's been (sort of) plugged. Surely that's a Good Thing? Even if it just means the bar has been raised for an attacker. And only for those who have installed new-ish DNS code.

> The Herzberg/Shulman attacks seem even harder to exploit in
> a real (as opposed to la) environment

Maybe. OTOH knowing about this weakness and doing little to counteract it -- save for the universal deployment of DNSSEC -- seems irresponsible to me. YMMV.

That said, there are other vulnerabilities that are probably more significant than cache poisoning attacks: eg the probably intractable reflector/amplification problems.