[dns-operations] summary of recent vulnerabilities in DNS security.

Edward Lewis ed.lewis at neustar.biz
Tue Oct 22 12:36:49 UTC 2013

On Oct 21, 2013, at 14:32, someone wrote:

> But who cares who got there first?  Every request
> I see for credit is recorded in my private accounting as a debit against
> the credibility of the person demanding credit, because credit demands
> suggest interests which suggest biases and so inaccuracy.

What drives the value downward of mailing lists are discussions like this.

One of the failings of the field of DNS is that there's no small set of "libraries" of documents.  As a result, most participants never do the "literature search" phase of research, instead they just go to code.  I'd call that experimenting, not researching.  Given the environment, crediting work to someone is almost impossible. But that is not something new and unique to the DNS or even the Internet.  Most inventions over time were just incremental changes to known technology but for some reason, on increment was more valuable than all the previous.  E.g., what Edison got right was the color of light, not the idea of radiating light from a wire.

As far as what Kaminsky contributed, in my estimation, the novelty was in the forging of UDP's sender address and flooding to perform cache poisoning.  (Cache poisoning itself had been described in the 1990's, which is why there was a DARPA contract to develop DNSSEC from 1994 to 1998 or so.)  The DNSSEC development flotilla had long been considering how to defeat message insertions, that mechanism was not novel in Kaminsky's description.  His major contributions were first exposing how to perform an insertion attack when not "on the path" and secondly he visualized the consequences to people.

Edward Lewis             
NeuStar                    You can leave a voice message at +1-571-434-5468

There are no answers - just tradeoffs, decisions, and responses.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131022/49c658e8/attachment.html>

More information about the dns-operations mailing list