On Tue, Aug 4, 2009 at 9:25 PM, Paul Vixie<vixie@isc.org> wrote:
i didn't pay any special heed to it since there was no way to get enough bites at the apple due to negative caching. when i saw djb's announcement (i think in 1999 or 2000, so, seven years after schuba's paper came out) i said, geez, that's a lot of code complexity and kernel overhead for a problem that can occur at most once per DNS TTL. and sure enough when we
Even then it was worth it, and it was silly that the DNS community ignored him. Note that work on RFC 5452 started two years before Kaminksy's announcement.
Powerdns was patched for the flaw a year and a half before Kaminsky published his article.
nevertheless bert was told about the problem and was given a lengthy window in which to test or improve his solutions for it. and i think openbsd may
You told me about the problem so I would not accidentally reveal it in process of working on and discussing my draft. You also told me you'd block progress of the draft until after the Kaminsky announcement. And given the tactics you employ on the IETF DNSEXT mailinglist, I knew you'd succeed. Recall that the draft contained 'MUST' wording that would've made it embarrassing for BIND *not* to implement source port randomization. I didn't have to make any changes to PowerDNS as I was aware of the danger of using a single source port already. In addition, remember the one famous succeeded attempt to spoof a source port randomizing nameserver, which took 10 hours and gigabit speeds? The same guy attempted this attack against PowerDNS, and failed for a simple (and accidental) reason. It turns out that PowerDNS query throttling and PowerDNS timeout caching makes it very hard to find the sweet spot between generating enough queries to spoof a domain in a timely manner, but not overloading the server or the network to the point that timeouts will be generated, which leads to PowerDNS to no longer sending out queries. That does not mean that I think the DNS is 'safe' now. My other attempt to increase DNS security in a simple way ('EDNS PING') was blocked as effectively as the RFC 5452 drafts were, and I've given up on that route. See http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00760.html I'll be at HAR2009 next week, and I understand both Kaminksy and EDNS-PING co-author David Ulevitch will be there, which should be fun. I'll also be presenting on DNS security risks, which will cover the subjects above as well. Bert