ICANN/GNSO GNSO Email List Archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [ga] Re: Details of DNS Flaw Leaked; Exploit Expected by End of Today

  • To: Stephane Bortzmeyer <bortzmeyer@xxxxxx>
  • Subject: Re: [ga] Re: Details of DNS Flaw Leaked; Exploit Expected by End of Today
  • From: "Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>
  • Date: Tue, 22 Jul 2008 03:30:17 -0700

Stephane and all,

  According to the MOU, yes security and stability is one of their
primary mandates.  But I agree with Jon's remarks below.  ICANN's
ability to perform it's mandate in any reasonable or in some instances,
rational way has proven to be a bit more than it can or will handle.

  Perhaps Stephane, you have another suggestion on who's mandate
the security and stability of the Internet is?  Should be?  Could be?
I hope your not thinking of the UN, of RIPE, god forbid?

Stephane Bortzmeyer wrote:

> On Wed, Jul 23, 2008 at 12:40:04AM -0400,
>  Prophet Partners Inc. <Domains@xxxxxxxxxxxxxxxxxxx> wrote
>  a message of 93 lines which said:
>
> > If ICANN hasn't done so already,
>
> AFAIK, ICANN did nothing. Are you sure that the security and stability
> of the Internet are within its mandate?
>
> > it would be wise to immediately notify all ICANN registries and
> > registrars about the exploit and the urgency to implement the
> > security patches.
>
> I hope that the ".com" registry and its registrars do not rely on
> ICANN for timely information about stability and security risks :-)
>
> (Remember that the vulnerability is on resolvers, anyway, so
> registries typically have nothing to do, except warning their local
> Internet community, something that all major ccTLD did two weeks ago.)
>
> The problem is not within the big and serious organizations but in the
> myriad of small businesses (ISP and end clients alike) which are
> typically quite clueless (see the attached message for an example).
>
>   ------------------------------------------------------------------------
>
> Subject: Clueless Major Backbone Provider
> Date: Tue, 22 Jul 2008 14:59:55 -0400
> From: Jon Kibler <Jon.Kibler@xxxxxxxx>
> Organization: Advanced Systems Engineering Technology, Inc.
> To: dns-operations@xxxxxxxxxxxxxxxxx
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I have an 'interesting' situation. I have a client that is dependent
> upon a major backbone provider for their recursive DNS services.
> However, this provider appears to be next to clueless. They have put out
> a notice to their customers which I will now quote in part -- with
> vendor identification information deleted:
>
> "On July 8, 2008, US-CERT issued a Technical Cyber Security Alert
> TA08-190B with the title 'Multiple DNS implementations vulnerable to
> cache poisoning.' ...
>
> The DNS community has been aware of this vulnerability for some time.
> CERT technical bulletin http://www.kb.cert.org/vuls/id/252735 issued in
> July, 2007, identified this vulnerability but at the time no patches
> were available from vendors.
>
> [VENDOR] does not disclose the name of its DNS vendors as a security
> measure but has implemented a preliminary patch that was available in
> January, 2008. The latest patch for alert TA08-190B is currently being
> tested ...
>
> ... the majority of [VENDOR]'s caching DNS infrastructures have load
> balancers.  Load balancers decrease the risk significantly because
> hackers are unable to target specific DNS servers."
>
> Questions:
>    1) How would you address the claims that this vulnerability is the
> same as the one from a year ago? (2nd paragraph)
>
>    2) Does the use of load balancers decrease the risk as claimed?
> (paragraph 4)
>
> Comment:
>    Note in paragraph 3 the vendor says it does not disclose which name
> servers that it uses, but in paragraph 2 gives a link that references
> BIND name servers.
>
> TIA for answers to questions.
>
> Jon Kibler
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-224-2494
> s: 843-564-4224
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkiGLisACgkQUVxQRc85QlPR9ACffQ8T87dgk15iDvWjO31gB7ia
> 8bkAn3o9+kMC+7NReHVdOvHwXaO/uxYK
> =bl2K
> -----END PGP SIGNATURE-----
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>   ------------------------------------------------------------------------
> _______________________________________________
> dns-operations mailing list
> dns-operations@xxxxxxxxxxxxxxx
> http://lists.oarci.net/mailman/listinfo/dns-operations

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827




<<< Chronological Index >>>    <<< Thread Index >>>