In a message written on Mon, Aug 11, 2008 at 09:41:54AM -0500, Jack Bates wrote:
7) Have someone explain to me the repeated claims I've seen that djbdns and Nominum's server are not vulnerable to this, and why that is.
PowerDNS has this to say about their non-vulnerability status:
http://mailman.powerdns.com/pipermail/pdns-users/2008-July/005536.html
I know some very happy providers that haven't had to patch. I hope to be one of them on the next round.
It's not that they are immune to the attack, and I think a few people deserve to be smacked around for the language they use..... Let's be perfectly clear, without DNSSEC or an alteration to the DNS Protocol THERE IS NO WAY TO PREVENT THIS ATTACK. There are only ways to make the attack harder. So what PowerDNS, DJB and others are telling you is not that you are immune, it is that you're not the low hanging fruit. A more direct way of stating their press releases would be: Everyone else figured out it took 3 minutes to hack their servers and implemented patches to make it take 2 hours. Our server always had the logic to make it take 2 hours, so we were ahead of the game. Great. If your vendor told you that you are not at risk they are wrong, and need to go re-read the Kaminski paper. EVERYONE is vunerable, the only question is if the attack takes 1 second, 1 minute, 1 hour or 1 day. While possibly interesting for short term problem management none of those are long term fixes. I'm not sure your customers care when .COM is poisoned if it took the attacker 1 second or 1 day. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/