Re: [ga] What are ICANN and VeriSign doing regarding CERT Advisory #800113 / DNS Cache Poisoning?

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

George and all,

  Good idea and also a good question.  It appears that ICANN's
SSAC is unwilling or unable to address this long standing and glaring
problem that endangers us all on a global basis.  It BTW is not a new
problem by any means.  It's been around for years.  Thanks to CERT,
by the insistence of some of us security professionals hammering them,
it has finally been recognized as a huge security problem.

  Maybe DHS or the USDOJ can apply some pressure on ICANN to
either act, or get out of the way.

  It's also very clear that the ALAC has seemingly not identified this
security problem as being very important either.  I suppose or can only
surmise that the ALAC and the ALS'es could care less how many users
are damaged by this problem.  Certainly they cannot claim that they
were not made aware.

  So it seems that it's full speed ahead and dam the torpedoes as
fast tracking IDN ccTLD's, new gTLD's, IDN gTLD's, Fast-Flux,
anti-phishing, and other less important issues is ICANN's policy
priorities.
See: http://www.icann.org/topics/policy/

  But thank you again George, for bringing this serious security problem
back into the public eye.

George Kirikos wrote:

> Hello,
>
> ICANN and VeriSign have been oddly quiet over the entire DNS cache
> poisoning issue:
>
> http://www.kb.cert.org/vuls/id/800113
> http://www.circleid.com/posts/87143_dns_not_a_guessing_game/
> http://it.slashdot.org/article.pl?sid=08/07/08/195225&tid=172
>
> PIR has a pending proposal to implement DNSSEC for .org:
>
> http://www.icann.org/registries/rsep/
>
> Is that something that VeriSign has plans to accelerate for the
> important .com and .net registries, in order to prevent a long-term
> meltdown in DNS confidence/trust should DNS cache poisoning become
> widespread in August and beyond?
>
> No need for a "formal" press release, but I think the community
> deserves to know that people are working on the long-term solution to
> this problem, and making it a higher priority relative to other lesser
> issues.
>
> Point #14 in the latest policy newsletter appears to be the only "hint"
> that a few people are working on things:
>
> http://www.icann.org/topics/policy/update-jul08.htm#14
>
> Hopefully something will happen before Cairo, as by then there might be
> widespread disruptions to the internet. Perhaps the Board might want to
> consider an early special meeting this week or next:
>
> http://www.icann.org/minutes/
>
> instead of waiting until July 31st, in conjunction with the SSAC.
>
> Sincerely,
>
> George Kirikos
> http://www.kirikos.com/

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827