[dns-operations] summary of recent vulnerabilities in DNS security.

Doug Barton dougb at dougbarton.us
Tue Oct 22 06:12:13 UTC 2013

On 10/21/2013 08:54 AM, Keith Mitchell wrote:
> Applying the same 5-years' now-outside hindsight to this, the benefits
> of all that port randomization work seem murky at best - does anyone
> have data on many real Kaminsky cache-poisoning attacks took place in
> that time ?

The Kaminsky vulnerability was clear, and while not trivial to exploit 
was quite doable. The work that ISC and others did to address this was a 
huge service to the community. If it had not been done, I'm sure things 
in the last 5 years would have been pretty ugly.

> The Herzberg/Shulman attacks seem even harder to exploit in
> a real (as opposed to la) environment

I can't judge that, but I think the math that says focus on things that 
we see in the wild over things generally agreed to be academic/unlikely 
is a good one.


More information about the dns-operations mailing list