[ga] FYI Fwd: Kaminsky on djbdns bugs

["Joe Baptista" <baptista@xxxxxxxxxxxxxx>]

FYI

---------- Forwarded message ----------
From: Joe Baptista <baptista@xxxxxxxxxxxxxx>
Date: Sat, Aug 9, 2008 at 10:42 AM
Subject: Re: Kaminsky on djbdns bugs
To: Erwin Hoffmann <feh@xxxxxxxxx>
Cc: dns@xxxxxxxxxxxxx


Hi,

On Fri, Aug 8, 2008 at 11:33 AM, Erwin Hoffmann <feh@xxxxxxxxx> wrote:

> Hi,
>
> At 03:42 08.08.2008 +0000, D. J. Bernstein wrote:
>
>> Kyle Wheeler writes:
>> > That makes it easier for an attacker to guess the right number, but
>> > only somewhat (your chances per-guess go from one in four billion to,
>> > say, thirty in four billion). This criticism of djbdns seems
>> > somewhat... well, specious.
>>
>> http://cr.yp.to/djbdns/forgery.html has, for several years, stated the
>> results of exactly this attack:
>>
>>   The dnscache program uses a cryptographic generator for the ID and
>>   query port to make them extremely difficult to predict. However,
>>
>>   * an attacker who makes a few billion random guesses is likely to
>>     succeed at least once;
>>   * tens of millions of guesses are adequate with a colliding attack;
>>
>> etc. The same page also states bilateral and unilateral workarounds that
>> would raise the number of guesses to "practically impossible"; but then
>> focuses on the real problem, namely that "attackers with access to the
>> network would still be able to forge DNS responses."
>>
>
> Yes. I've posted years ago an URL to tinydns.org (originating from
> Security Focus) with a very careful analyis about the above topic Kaminsky
> claims now to be a new affair -- however, the link has been removed (I can
> post a copy of the article in PDF format on request).


i'd be interested in seeing it.


> Most of what Kaminsky discusses is pretty old and well know  - obviously
> except for the BIND guys (regarding DNS).


The BIND guys know it.  The BIND guys patch BIND every year.  But it so half
assed.  How many versions of BIND have been published to address security
issue. Answer - every single one.

I've complained for years about this.  Especially to the internet DNS
pirates at ICANN.  It goes no where.  What pisses me off is that they have
the resources to do a good job but don't.  From their point of view it seems
every BIND vulnerability is a marketing opportunity.  It has been either an
attempt to use the security issue to deny users access to port 53 or in this
case an attempt to market a crappy protocol like DNSSEC - which is in my
opinion an attempt by a technical community to give control of the root to
the 13 root gods.


> Even worse; here in Germany on the Heise ticker, there es more confusion
> regarding MacOS an the missing dnslib patches from Apple (sailing on the
> waves of Kaminsky's 'discoveries'). The common misunderstandings about the
> roles of the stub-resolver, the dns-cache/full-resolver, and the
> dns-content-server seem to be persistent; in particular in spite of DNSSEC.


regards.
> --eh.
>
> (The german reading folks may have a look in the 2nd edition of my book
> "Technik der IP-Netze" which explains DNS -- I shall translate that chapter
> into english and make in public available; any volonteers?)
>
> Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/
> Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24
>
>


-- 
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084




-- 
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084