[dns-operations] summary of recent vulnerabilities in DNS security.
ed.lewis at neustar.biz
Mon Oct 21 17:55:35 UTC 2013
On Oct 21, 2013, at 11:54, Keith Mitchell wrote:
> Then ISC/BIND response to Kaminsky in 2008 was to burn perhaps 50% of
> the company's product-wide development and support resources over that
> year to co-ordinating, fixing, disclosing, patching, releasing and
> evangelizing the solution to the problem. While at the time it felt to
> us like great public benefit work was being done for the community, even
> by the end of that year it was becoming clear it was not a particularly
> great business decision.
Over the weekend there was a CENTR Technical Workshop (the day before RIPE 67 and in the same location) where a panel was held on the recent DNS vulnerabilities as reported at DNS-OARC 7 days earlier. One of the thoughts that emerged (IMHO) was to set priorities like this: design-away the theoretic/academic described vulnerabilities, reserving trench-warfare techniques to battle attacks we "learn from packet captures." Given limited resources, that is how I'd spend them.
So, yes, I believe this - in retrospect (referring to Keith's report) a lot of resources were burned to stem an attack that never really materialized. Possibly because of the fix, but we will never know.
Oddly, during the CENTR meeting and during the RIPE DNS WG meeting that followed, the quote "in the long run we are all dead"  was uttered independently (different speakers) to mean that "it's fine to design into the future, but we need to eat now." Under that banner, RRL serves an important purpose by staving off the apocalypse, even if (and I do mean if) it's benefit is temporary.
This assumes that there is someone "designing away" vulnerabilities into the future, which I fear is a bad assumption currently. Most delivered techniques are triage with anything requiring major architectural rework considered to be "too far off into the future" to even being. I don't think DNSSEC would stand a chance starting from scratch today, given how avenues of innovation have changed.
NeuStar You can leave a voice message at +1-571-434-5468
There are no answers - just tradeoffs, decisions, and responses.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations