<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">I am not sure what you mean by `official OARC channels`, I forwarded my communication on this issue, with porttest operators, to you a month or so ago. Maybe these were not official channels, but I have not contacted OARC otherwise, via a different channel.</div>
<div class="gmail_default" style="font-family:tahoma,sans-serif">Can you please advise how to contact OARC through official channels?</div><div class="gmail_default" style="font-family:tahoma,sans-serif">Thank you.</div>
</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Oct 22, 2013 at 7:53 PM, Keith Mitchell <span dir="ltr"><<a href="mailto:keith@dns-oarc.net" target="_blank">keith@dns-oarc.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 10/22/2013 10:52 AM, Haya Shulman wrote:<br>
<br>
>> Disclosing such potential vulnerabilities remains valuable work,<br>
>> but I think careful consideration needs to be applied to the<br>
>> engineering economics of the best operational-world mitigation<br>
>> approaches.<br>
><br>
</div>> @/Keith Mitchell/<br>
<br>
(My head is *really* hurting from this quotation formatting..)-:<br>
(re-wrapping and indenting to list conventions...)<br>
<div class="im"><br>
> I do not advocate to deploy these or other countermeasures. Above<br>
> any doubt you are in the best position to decide which<br>
> countermeasures to deploy.<br>
<br>
</div>Not really, OARC does not operate production service-providing<br>
infrastructure except to support a membership organization, most of our<br>
infrastructure is dedicated to data-gathering/testbed/research purposes.<br>
So I defer to *real* DNS infrastructure operators and implementors on<br>
any such judgments.<br>
<div class="im"><br>
> The situation with DNS checkers is different from deployment of port<br>
> randomisation. DNS checkers is a very important service to the<br>
> community and the efforts that their operators took to make them<br>
> available is very valuable. However, an illusion of security is more<br>
> dangerous than not being protected at all (in the later case one is<br>
> aware that he is not protected and may be attacked).<br>
<br>
</div>Fair enough.<br>
<div class="im"><br>
> I admit that I do not know what economic effort is required to patch<br>
> DNS checkers which report per-destination ports, recommended in<br>
> [RFC6056], as secure<br>
<br>
</div>Well, more than we've been able to dedicate in the past month or so. I'm<br>
trying to get an estimate of this from those best placed to do the<br>
actual work.<br>
<div class="im"><br>
> but I suggested a fix to this vulnerability some time ago, that<br>
> should be fairly simple to implement;<br>
<br>
</div>Yes, but as I explained privately previously, there is no record of this<br>
correspondence through official OARC channels - I did request you<br>
re-send, but I don't have a copy of it.<br>
<div class="im"><br>
> the problem with the porttest checker is that each IP address of the<br>
> checker system receives a single query from the tested resolver, and<br>
> so to each such IP address a random port is selected. But, if more<br>
> than a single query were sent to each checker IP during the test,<br>
> then the predictable sequence would be easily identified.<br>
<br>
</div>Thank you for this clarification - any further points you have about the<br>
best way to implement the fix to this would be welcome, but are likely<br>
best taken off-list.<br>
<span class="HOEnZb"><font color="#888888"><br>
Keith<br>
<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><div><p style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"><font color="#000000">Haya Shulman</font></span></p>
<p style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"><font color="#000000">Technische Universität Darmstadt<u></u><u></u></font></span></p>
<p style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"><font color="#000000">FB Informatik/EC SPRIDE<u></u><u></u></font></span></p>
<p style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"><font color="#000000">Mornewegstr. 30<u></u><u></u></font></span></p>
<p style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"><font color="#000000">64293 Darmstadt<u></u><u></u></font></span></p>
<p style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"><font color="#000000">Tel. <a value="+4961511675540">+49 6151 16-75540</a><u></u><u></u></font></span></p>
<p style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"><a href="http://www.ec-spride.de/" target="_blank"><font color="#000000">www.ec-spride.de</font></a></span></p>
</div></div>
</div>