Re: [ga] Kaminsky on dns bugs - Bernstein responds

["Joe Baptista" <baptista@xxxxxxxxxxxxxx>]

On Fri, Aug 8, 2008 at 11:11 PM, JFC Morfin <jefsey@xxxxxxxxxxxxxxxx> wrote:

>  Joe,
> you do not want to answer my question?
> Is a local nameserver using a local root subject to that kind a security
> problem?
>

Sorry Jefsey - I don't have a problem with answering that question.  I
assume you asked it and I missed it.

The answer is yes is the local root is a recursive server.

cheers
joe baptista



>
> jfc
>
>
>
> On 04:18 09/08/2008, Joe Baptista said:
>
>
> Well the long-awaited description of Dan Kaminsky's regarding the dns
> vulnerabilities was released as a 104-slide Powerpoint presentation:
>
>   http://www.doxpara.com/DMK_BO2K8.ppt
>
> On slide 34 it claims that DJB (Dr. Bernstein) WAS RIGHT.  This is
> something we all have known for years.  But then Kaminsky went on to hang
> himself by saying that DJB was "NOT PERFECT, we're seeing (and patching,
> don't ask)".  Kaminsky offers as an example that the birthday attack
> protection was not implemented by Bernstein because he believed port
> randomization was enough, and goes on to say that DJBDNS has other known
> issues too.
>
> People this claim by Kaminsky is a load of crap and once again furthers my
> claim that the recent security issues are nothing more then the rehashing of
> old security problem that Bernstein addressed years ago.
>
> In any case there was a response to this by Bernstein - the response is
> below.  As you can see Bernstein supports what I have been going on about
> concerning these recent dns securities issues.  The problems have been known
> for years and this is nothing more then a rehash of existing security issues
> to exploit user hysteria in the hope the world can be tricked into accepting
> yet another useless insecure protocol - being DNSSEC.
>
> I agree with Bernstein that the recent patches don't fix the problem.  In
> any case here is Bernsteins reply for the record.
>
> regards
> joe baptista
>
> ---------- Forwarded message ----------
> From: *D. J. Bernstein* <djb@xxxxxxxx>
> Date: Thu, Aug 7, 2008 at 11:42 PM
> Subject: Re: Kaminsky on djbdns bugs
> To: dns@xxxxxxxxxxxxx
>
>
> Kyle Wheeler writes:
> > That makes it easier for an attacker to guess the right number, but
> > only somewhat (your chances per-guess go from one in four billion to,
> > say, thirty in four billion). This criticism of djbdns seems
> > somewhat... well, specious.
>
>  http://cr.yp.to/djbdns/forgery.html has, for several years, stated the
> results of exactly this attack:
>
>   The dnscache program uses a cryptographic generator for the ID and
>   query port to make them extremely difficult to predict. However,
>
>   * an attacker who makes a few billion random guesses is likely to
>     succeed at least once;
>   * tens of millions of guesses are adequate with a colliding attack;
>
> etc. The same page also states bilateral and unilateral workarounds that
> would raise the number of guesses to "practically impossible"; but then
> focuses on the real problem, namely that "attackers with access to the
> network would still be able to forge DNS responses."
>
> I suppose I should be happy to see public awareness almost catching up
> to the nastiest DNS attacks I considered in 1999. However, people are
> deluding themselves if they think they're protected by the current
> series of patches. UIC is issuing a press release today on this topic;
> see below.
>
> ---D. J. Bernstein, Professor, Mathematics, Statistics,
> and Computer Science, University of Illinois at Chicago
>
>
> DNS still vulnerable, Bernstein says
>
> CHICAGO, Thursday 7 August 2008 - Do you bank over the Internet? If so,
> beware: recent Internet patches don't stop determined attackers.
>
> Network administrators have been rushing to deploy DNS source-port
> randomization patches in response to an attack announced by security
> researcher Dan Kaminsky last month. But the inventor of source-port
> randomization said today that new security solutions are needed to
> protect the Internet infrastructure.
>
> "Anyone who knows what he's doing can easily steal your email and insert
> fake web pages into your browser, even after you've patched," said
> cryptographer Daniel J. Bernstein, a professor in the Center for
> Research and Instruction in Technologies for Electronic Security (RITES)
> at the University of Illinois at Chicago.
>
> Bernstein's DJBDNS software introduced source-port randomization in
> 1999 and is now estimated to have tens of millions of users. Bernstein
> released the DJBDNS copyright at the end of last year.
>
> Kaminsky said at the Black Hat conference yesterday that 120,000,000
> Internet users were now protected by patches using Bernstein's
> randomization idea. But Bernstein criticized this idea, saying that it
> was "at best a speed bump for blind attackers" and "an extremely poor
> substitute for proper cryptographic protection."
>
> DNSSEC, a cryptographic version of DNS, has been in development since
> 1993 but is still not operational. Bernstein said that DNSSEC offers "a
> surprisingly low level of security" while causing severe problems for
> DNS reliability and performance.
>
> "We need to stop wasting time on breakable patches," Bernstein said. He
> called for development of DNSSEC alternatives that quickly and securely
> reject every forged DNS packet.
>
> Press contact: Daniel J. Bernstein < press-20080807@xxxxxxxxxxxx>
>
> -30-
>
> --
> Joe Baptista
> www.publicroot.org
> PublicRoot Consortium
> ----------------------------------------------------------------
> The future of the Internet is Open, Transparent, Inclusive, Representative
> & Accountable to the Internet community @large.
> ----------------------------------------------------------------
> Office: +1 (360) 526-6077 (extension 052)
> Fax: +1 (509) 479-0084
>
>


-- 
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084