ICANN/GNSO GNSO Email List Archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [ga] Notice: Another DNS security hole recognized

  • To: "Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>
  • Subject: Re: [ga] Notice: Another DNS security hole recognized
  • From: "Joe Baptista" <baptista@xxxxxxxxxxxxxx>
  • Date: Thu, 31 Jul 2008 22:30:17 -0400

Just to make things clear.

1) The DNS is not the issue here.  The issue is servers / firewall / NAT
devices where the ports are not properly randomized for UDP.  And the
problems can be fixed.

2) This is not a new vulnerability.  Its one vulnerability with many
potential attack scenarios.  I've considered that even authoritative servers
can be exploited if one understands the attack vectors to deploy.

If people want to fix this the only real solution is to install a server
that works - Bersteins DNS server is the only one I would guarantee to
clients works well for recursive and authoritative DNS.  Separate servers -
separate level of DNS services.

People who use recursive name servers for authoritative traffic are begging
trouble to pay them a visit.  i.e. you get your servers high jacked.   And
you won't even know it.

What pisses me off about Vixie is the shitty way he is using a very scary
vulnerability - i.e. potentially 70% (or more) of the internet can be high
jacked - to peddle his shabby wares - i.e. DNSSEC.

DNSSEC is nothing more then the Verisign/USG/IANA/ICANN disaster attempting
a takeover of the root zone, or at least maintaining the status quo.   Let
us not forget that the Chinese now have a significant market share, then
there was Turkey who I got online via the HEX, and the Arabs have been
running their own roots for years, etc etc.  So having lost over 30% market
share in root service is not a success.

DNSSEC is nothing more then a trap that will delay is for a few months.  It
is also a significant inconvenience and will require an IT infrastructure
devoted to its administration and maintenance.  i.e. big expenses to all
when the problem is and always has been the software - i.e. BIND and all its
variants.

Fix the software - fix the problem today.  Install DNSSEC - ensure a make
work project for DNS experts - and increase IT expenses significantly.

anyway - thats my two cents.

regards
joe baptista


On Wed, Jul 30, 2008 at 10:35 PM, Jeffrey A. Williams <
jwkckid1@xxxxxxxxxxxxx> wrote:

>
> All,
>
>  As if one was not enough, eh!  Well like I have been harping
> on, here is another that has finally been recognized that has
> been around for awhile as well...
>
>  Seems that the ISC hasn't fixed or reported this one either... >:(
>
>  Here also is a new tool for users or admins. to check with:
> https://www.dns-oarc.net/oarc/services/dnsentropy
>
>
> 08.31.22 CVE: CVE-2008-1447
> Platform: Cross Platform
> Title: Multiple Vendor DNS Protocol Insufficient Transaction ID
> Randomization DNS Spoofing
> Description: Multiple vendors' implementations of the DNS protocol are
> exposed to a DNS-spoofing issue because the software fails to securely
> implement random values when performing DNS queries. Microsoft Windows
> DNS Clients and Servers, ISC BIND 8 and 9, and multiple Cisco IOS
> releases are affected.
> Ref: http://www.securityfocus.com/archive/1/494716
>
>
> Regards,
>
> Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
> "Obedience of the law is the greatest freedom" -
>   Abraham Lincoln
>
> "Credit should go with the performance of duty and not with what is
> very often the accident of glory" - Theodore Roosevelt
>
> "If the probability be called P; the injury, L; and the burden, B;
> liability depends upon whether B is less than L multiplied by
> P: i.e., whether B is less than PL."
> United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
> ===============================================================
> Updated 1/26/04
> CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
> div. of Information Network Eng.  INEG. INC.
> ABA member in good standing member ID 01257402 E-Mail
> jwkckid1@xxxxxxxxxxxxx
> My Phone: 214-244-4827
>
>


-- 
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084


<<< Chronological Index >>>    <<< Thread Index >>>