ICANN/GNSO GNSO Email List Archives

[ga]

<<< Chronological Index >>>    <<< Thread Index >>>

[ga] Kaminsky DNS Bug Claimed Fixed By 1-Character Patch

  • To: Ga <ga@xxxxxxxxxxxxxx>
  • Subject: [ga] Kaminsky DNS Bug Claimed Fixed By 1-Character Patch
  • From: "Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>
  • Date: Sun, 31 Aug 2008 00:17:28 -0700
All,

  Remember it says "Claimed fix"!

See:

"According to a thread on the bind-users
mailing list, there is nothing inherent in the DNS protocol that would
cause the massive vulnerability discussed
http://tech.slashdot.org/article.pl?sid=08/08/07/1657252&tid=95
at  http://it.slashdot.org/article.pl?sid=08/08/21/2343250&tid=172
length here and elsewhere. As it turns out, it appears to be a
 http://marc.info/?t=121981071400003 simple off-by-one error
in BIND, which favors new NS records over cached ones (even if the
cached TTL is not yet expired). The patch changes this in favor of 
still-valid cached records, removing the attacker's ability to 
successfully poison the cache outside the small window of opportunity 
afforded by an expiring TTL, which is the way things used to be 
before the Kaminsky debacle.  Source port randomization is nice, but 
removing the root cause of the attack's effectiveness is better."
Update: 08/29 20:11 GMT by  http://slashdot.org/~kdawson/
KD : Dan Kaminsky sent this note: "What Gabriel suggests is interesting
and was considered, but a) doesn't work and b) creates fatal reliability
issues. I've  http://www.doxpara.com/?p=1234 responded in a post
here."

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827
<<< Chronological Index >>>    <<< Thread Index >>>