Re: [ga] What are ICANN and VeriSign doing regarding CERT Advisory #800113 / DNS Cache Poisoning?

["Joe Baptista" <baptista@xxxxxxxxxxxxxx>]

On Wed, Aug 6, 2008 at 10:46 PM, George Kirikos <gkirikos@xxxxxxxxx> wrote:

>
> Hello,
>
> Just to followup, ICANN sent out a news release earlier:
>
> http://www.icann.org/en/announcements/announcement-06aug08-en.htm
>
> It's a step in the right direction, to help educate folks. However,
> there's no true "fix", as the protocol itself is broken. A move towards
> DNSSEC or other secure DNS would be the only appropriate long-term
> solution.


There is nothing wrong with the protocol.  Its the software thats the
issue.  And this is easy to fix.  I've run some tests and with a little DNS
magic you can make you DNS very secure.

Another big help would be to update your software including any NAT devices.

The whole DNSSEC thing is another red herring in the making.

Also there is nothing ICANN nor anyone else can do about this.  The world is
running a lot of insecure servers.  BIND has always been buggy and true to
form it will continue to be buggy.  Have you any idea how many buggy systems
are out there.  i.e. almost all of them.  Unless of course your running
burnsteins DNS which already fixed this problem a long time ago.

It bother me that people who have no idea what the technical issues are get
so easily baited by this issue.  George - let go the ICANN red herring.  Its
just another smoke screen.

The real issue here is what sort of out reach programs is ICANN involved in
to get people to upgrade and fix their buggy dns servers.  DNSSEC is not
going to save them.

cheers
joe baptista



>
>
> If there's ever a cyber 9/11, as Lessig discussed at:
>
> http://news.slashdot.org/article.pl?sid=08/08/05/220229
>
> widespread DNS cache poisoning might be one of the root causes.
>
> I'd like to hear from VeriSign as to whether they're planning to
> implement DNSSEC or a secure DNS alternative for .com/net, as PIR
> intends for .org.
>
> Sincerely,
>
> George Kirikos
> http://www.kirikos.com/
>
> --- George Kirikos <gkirikos@xxxxxxxxx> wrote:
>
> >
> > Hello,
> >
> > ICANN and VeriSign have been oddly quiet over the entire DNS cache
> > poisoning issue:
> >
> > http://www.kb.cert.org/vuls/id/800113
> > http://www.circleid.com/posts/87143_dns_not_a_guessing_game/
> > http://it.slashdot.org/article.pl?sid=08/07/08/195225&tid=172
> >
> > PIR has a pending proposal to implement DNSSEC for .org:
> >
> > http://www.icann.org/registries/rsep/
> >
> > Is that something that VeriSign has plans to accelerate for the
> > important .com and .net registries, in order to prevent a long-term
> > meltdown in DNS confidence/trust should DNS cache poisoning become
> > widespread in August and beyond?
> >
> > No need for a "formal" press release, but I think the community
> > deserves to know that people are working on the long-term solution to
> > this problem, and making it a higher priority relative to other
> > lesser
> > issues.
> >
> > Point #14 in the latest policy newsletter appears to be the only
> > "hint"
> > that a few people are working on things:
> >
> > http://www.icann.org/topics/policy/update-jul08.htm#14
> >
> > Hopefully something will happen before Cairo, as by then there might
> > be
> > widespread disruptions to the internet. Perhaps the Board might want
> > to
> > consider an early special meeting this week or next:
> >
> > http://www.icann.org/minutes/
> >
> > instead of waiting until July 31st, in conjunction with the SSAC.
> >
> > Sincerely,
> >
> > George Kirikos
> > http://www.kirikos.com/
>
>


-- 
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
 Office: +1 (360) 526-6077 (extension 052)
    Fax: +1 (509) 479-0084