Re: [ga] What are ICANN and VeriSign doing regarding CERT Advisory #800113 / DNS Cache Poisoning?

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

Joe and all,

  First, IMO, Joe is correct that DNSSEC will not save or fix any
problems that are software related to DNS/BIND or client interfaces
that are OS specific but were based upon what was known about
Bind at the time of their creation.

  Second, Burnsteins DNS/BIND is only ONE version of DNS/BIND
that is very secure.  Our BindPlus is also very secure as well, no
reported
security problems reported in 49 months, and never a serious security
hole found or reported sense it's release.

  Third, I respectfully disagree that ICANN can't do anything.  They
could
have done allot over 6 years ago, and scoffed at anyone other than
Paul Vixies Bind 8 at that time.  That was a mistake, and many knew
it but were silent publically.

  Forth, Joe is right, that with a little software Eng. forsight and
expermintation
most of the DNS/BIND security Holes are fixable and customizably so.
What is missing is that there are very few GOOD software Eng., and even
fewer that have an in depth understanding of DNS.

  Fifth, it is huge security problems like this that are bound to occur
as long as social Eng. are making software decisions or managment
decisions that are grounded in security and/or software.  That's
a leadership problem, and in this instance it is a ICANN leadership
problem.


Joe Baptista wrote:

>
>
> On Wed, Aug 6, 2008 at 10:46 PM, George Kirikos <gkirikos@xxxxxxxxx>
> wrote:
>
>
>      Hello,
>
>      Just to followup, ICANN sent out a news release earlier:
>
>      http://www.icann.org/en/announcements/announcement-06aug
>      8-en.htm
>
>      It's a step in the right direction, to help educate folks.
>      However,
>      there's no true "fix", as the protocol itself is broken. A
>      move towards
>      DNSSEC or other secure DNS would be the only appropriate
>      long-term
>      solution.
>
>
> There is nothing wrong with the protocol.  Its the software thats the
> issue.  And this is easy to fix.  I've run some tests and with a
> little DNS magic you can make you DNS very secure.
>
> Another big help would be to update your software including any NAT
> devices.
>
> The whole DNSSEC thing is another red herring in the making.
>
> Also there is nothing ICANN nor anyone else can do about this.  The
> world is running a lot of insecure servers.  BIND has always been
> buggy and true to form it will continue to be buggy.  Have you any
> idea how many buggy systems are out there.  i.e. almost all of them.
> Unless of course your running burnsteins DNS which already fixed this
> problem a long time ago.
>
> It bother me that people who have no idea what the technical issues
> are get so easily baited by this issue.  George - let go the ICANN red
> herring.  Its just another smoke screen.
>
> The real issue here is what sort of out reach programs is ICANN
> involved in to get people to upgrade and fix their buggy dns servers.
> DNSSEC is not going to save them.
>
> cheers
> joe baptista
>
>
>
>
>      If there's ever a cyber 9/11, as Lessig discussed at:
>
>      http://news.slashdot.org/article.pl?sid=08/08/05/220229
>
>      widespread DNS cache poisoning might be one of the root
>      causes.
>
>      I'd like to hear from VeriSign as to whether they're
>      planning to
>      implement DNSSEC or a secure DNS alternative for .com/net,
>      as PIR
>      intends for .org.
>
>      Sincerely,
>
>      George Kirikos
>      http://www.kirikos.com/
>
>      --- George Kirikos <gkirikos@xxxxxxxxx> wrote:
>
>      >
>      > Hello,
>      >
>      > ICANN and VeriSign have been oddly quiet over the entire
>      DNS cache
>      > poisoning issue:
>      >
>      > http://www.kb.cert.org/vuls/id/800113
>      >
>      http://www.circleid.com/posts/87143_dns_not_a_guessing_game/
>
>      >
>      http://it.slashdot.org/article.pl?sid=08/07/08/195225&tid=172
>
>      >
>      > PIR has a pending proposal to implement DNSSEC for .org:
>      >
>      > http://www.icann.org/registries/rsep/
>      >
>      > Is that something that VeriSign has plans to accelerate
>      for the
>      > important .com and .net registries, in order to prevent a
>      long-term
>      > meltdown in DNS confidence/trust should DNS cache
>      poisoning become
>      > widespread in August and beyond?
>      >
>      > No need for a "formal" press release, but I think the
>      community
>      > deserves to know that people are working on the long-term
>      solution to
>      > this problem, and making it a higher priority relative to
>      other
>      > lesser
>      > issues.
>      >
>      > Point #14 in the latest policy newsletter appears to be
>      the only
>      > "hint"
>      > that a few people are working on things:
>      >
>      > http://www.icann.org/topics/policy/update-jul08.htm#14
>      >
>      > Hopefully something will happen before Cairo, as by then
>      there might
>      > be
>      > widespread disruptions to the internet. Perhaps the Board
>      might want
>      > to
>      > consider an early special meeting this week or next:
>      >
>      > http://www.icann.org/minutes/
>      >
>      > instead of waiting until July 31st, in conjunction with
>      the SSAC.
>      >
>      > Sincerely,
>      >
>      > George Kirikos
>      > http://www.kirikos.com/
>
>
>
>
>
> --
> Joe Baptista
> www.publicroot.org
> PublicRoot Consortium
> ----------------------------------------------------------------
> The future of the Internet is Open, Transparent, Inclusive,
> Representative & Accountable to the Internet community @large.
> ----------------------------------------------------------------
>  Office: +1 (360) 526-6077 (extension 052)
>     Fax: +1 (509) 479-0084
>
>

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827