[dns-operations] summary of recent vulnerabilities in DNS security.

Haya Shulman haya.shulman at gmail.com
Tue Oct 22 18:41:50 UTC 2013


I am not sure what you mean by `official OARC channels`, I forwarded my
communication on this issue, with porttest operators, to you a month or so
ago. Maybe these were not official channels, but I have not contacted OARC
otherwise, via a different channel.
Can you please advise how to contact OARC through official channels?
Thank you.


On Tue, Oct 22, 2013 at 7:53 PM, Keith Mitchell <keith at dns-oarc.net> wrote:

> On 10/22/2013 10:52 AM, Haya Shulman wrote:
>
> >> Disclosing such potential vulnerabilities remains valuable work,
> >> but I think careful consideration needs to be applied to the
> >> engineering economics of the best operational-world mitigation
> >> approaches.
> >
> > @/Keith Mitchell/
>
> (My head is *really* hurting from this quotation formatting..)-:
> (re-wrapping and indenting to list conventions...)
>
> > I do not advocate to deploy these or other countermeasures. Above
> > any doubt you are in the best position to decide which
> > countermeasures to deploy.
>
> Not really, OARC does not operate production service-providing
> infrastructure except to support a membership organization, most of our
> infrastructure is dedicated to data-gathering/testbed/research purposes.
> So I defer to *real* DNS infrastructure operators and implementors on
> any such judgments.
>
> > The situation with DNS checkers is different from deployment of port
> > randomisation.  DNS checkers is a very important service to the
> > community and the efforts that their operators took to make them
> > available is very valuable. However, an illusion of security is more
> >  dangerous than not being protected at all (in the later case one is
> >  aware that he is not protected and may be attacked).
>
> Fair enough.
>
> > I admit that I do not know what economic effort is required to patch
> >  DNS checkers which report per-destination ports, recommended in
> > [RFC6056], as secure
>
> Well, more than we've been able to dedicate in the past month or so. I'm
> trying to get an estimate of this from those best placed to do the
> actual work.
>
> > but I suggested a fix to this vulnerability some time ago, that
> > should be fairly simple to implement;
>
> Yes, but as I explained privately previously, there is no record of this
> correspondence through official OARC channels - I did request you
> re-send, but I don't have a copy of it.
>
> > the problem with the porttest checker is that each IP address of the
> >  checker system receives a single query from the tested resolver, and
> >  so to each such IP address a random port is selected. But, if more
> > than a single query were sent to each checker IP during the test,
> > then the predictable sequence would be easily identified.
>
> Thank you for this clarification - any further points you have about the
> best way to implement the fix to this would be welcome, but are likely
> best taken off-list.
>
> Keith
>
>


-- 

Haya Shulman

Technische Universität Darmstadt****

FB Informatik/EC SPRIDE****

Mornewegstr. 30****

64293 Darmstadt****

Tel. +49 6151 16-75540****

www.ec-spride.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131022/0c2a3d08/attachment.html>


More information about the dns-operations mailing list