Re: [ga] were all screwed - the only solution is obvious - smart ids dns

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

Dr. Joe and all,

  I don't know if OpenDNS has what your suggesting deployed.
But it is slowly becoming far more clear that ICANN is not
fully deploying or implementing DNSSEC.  I cannot for certain
determine as to why, however.  I can only suspect that ICANN
doesn't have the horses, nor does the IANA any longer, to properly
implement DNSSEC.  Same for IPSEC, BTW.

  Further, selling DNSSEC to Registries, Registrars, and Registrants,
as well as ISP/IAP's is not going well, nor for that matter is IPv6,
thank god.  One should also consider or actually recognize that
IP registries are far more security vulnerable than the roots, DN
registries and registrars, or registrants.

  But I would like to believe and certainly hope that the GAC
recognizes how important DNS security is, and to some degree
why it is so.  Let's hope that the FCC and DOC/NTIA can hold
ICANN properly and fully accountable as well as liable as critical
economic health and governmental infrastructure is at stake.

  Right now though the ignorance of DNS security as a necessity is
still wide spread.  The touchy-feely social engenerring folks and their
associated groups don't see this as a significant danger.  When they
get bit, maybe than they will.

  What's needed IMPO is that DNS needs a major re-write,
especially Bind.  Vixie could do it, Bernstine could do it, I
have along with my execellent technical staff, done it, and there
are a precious few others that could do it, none are that interested,
as it is a significant task.  For the Social Engenerring folks not to
understand how important this is, is beyond reasonable thinking.
ICANN, the IANA, and especially the IETF know better, so
ICANN's SSAC not adaquately addressing this is simply not
excusable, and they know it!

  However Dr. Joe, we're not all "screwed", as you so elequently
put it, yet. >:)  However seems that we are all exposed, as it were.
>:(

Joe Baptista wrote:

> People, were all screwed thanks to this DNS vulnerability.  It is
> truly a monster in the making and we are being bamboozled into
> thinking DNSSEC will save our sorry souls.  And the ease of causing
> damage to internet infrastructure is enormous.
>
> Every banking transaction, every communication channel can now be high
> jacked by any script kiddie with a network of bots.  And we are being
> asked to settle for DNSSEC which is clear is not so secure and easily
> broken by - guess who - script kiddies.  When the kiddies figure out
> how to control the DNS through these vulnerabilities were going to be
> a mess.
>
> My main concern are the criminals who will soon also discover how
> these flaws can be exploited.  Port randomization as has been show
> does not work.  It just take more time to do.  Bernsteins concern with
> the year 2015 is very real today.
>
> I've asked Vixie some questions and gotten some replies.  I hate to
> say this but the only real way left to guard against this attack is an
> intrusion detection system (IDS) to monitor any recursive DNS server
> and a good well behaved firewall.
>
> I addressed the fix for these problems back Jan 2007 in the
> Public-Root Name Server Operational Requirements document published by
> INAIC.  The sections are 4.2.7 to 4.2.9.  The reference document is at
> the following URL.
>
> http://www.publicroot.org/technical/root-server-standards.pdf
>
> In any case thats what now needs to be done to secure DNS ASAP. A
> would recommend a smart IDS that not only detects but also based on a
> set of rules attempt to find and correct the answer or response to the
> DNS server in real time.  I expect OpenDNS has this sort of thing
> deployed.
>
> cheers
> joe baptista
>
> --
> Joe Baptista
> www.publicroot.org
> PublicRoot Consortium
> ----------------------------------------------------------------
> The future of the Internet is Open, Transparent, Inclusive,
> Representative & Accountable to the Internet community @large.
> ----------------------------------------------------------------
> Office: +1 (360) 526-6077 (extension 052)
> Fax: +1 (509) 479-0084
>
>
Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827