[dns-operations] summary of recent vulnerabilities in DNS security.

Dickson, Brian bdickson at verisign.com
Wed Oct 23 16:24:54 UTC 2013

Paul Vixie wrote:

Haya Shulman wrote:

> > so if i add "first weaponized by Haya Shulman" this would settle the
> > matter?
> Thank you, can you please use Amir Herzberg and Haya Shulman (I
> collaborated on this attack together with my phd advisor Amir Herzberg).

it shall be done.

Thank you.

upon deeper consideration, "weaponized" is the wrong verb, unless you have released your software. i can say "first published" if that will serve your purpose.

Sorry to join the discussion late.

FYI, I have been working on a proof-of-concept weaponized implementation of a fragmentation-based attack.
(My work is limited only to fragmentation, as I see that as the issue with the largest attack surface and which suffers from potential long-tail problems in mitigations.)

This work was inspired by Haya/Amir's work, although it did abstract things and go back to first principles on what to do and how to do it. The PoC code is a clean-room implementation.

I am also loosely collaborating with the CZ folks (Ondřej Surý et al) who are also doing their own independent PoC.

There was a presentation of this at the latest DNS-OARC meeting, as well as at the last RIPE meeting.

We will, of course, be keeping the code private, and will avoid releasing too many details.

When we have specific concrete results, we will share them in a responsible fashion.

Regardless of the specifics, the general result should be understood: the unsigned aspects of delegations, creates an exposure to poisoning which allows MitM, which facilitates a host of problems to anything which is not totally DNSSEC-signed and DNSSEC-validated.

Brian Dickson

P.S. Credit for "weaponized" even if the code is shared with strict controls, rather than released, would be welcome, at the appropriate time.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131023/60a39060/attachment.html>

More information about the dns-operations mailing list