ICANN/GNSO GNSO Email List Archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [ga] What are ICANN and VeriSign doing regarding CERT Advisory #800113 / DNS Cache Poisoning?

  • To: ga@xxxxxxxxxxxxxx
  • Subject: Re: [ga] What are ICANN and VeriSign doing regarding CERT Advisory #800113 / DNS Cache Poisoning?
  • From: "Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>
  • Date: Wed, 06 Aug 2008 01:29:38 -0700

George and all,

  Well yes this is a move in the right direction.  But it is far too
little and perhaps far too late as we have seen with Apple.
See:
See:

(August 1, 2008)
Apple released a patch for the recently disclosed and exploited DNS
vulnerability, but while it fixes Mac OS X systems used as DNS servers,
it does not protect Macs being used as client systems.  Fully patched
versions of both Tiger (version 10.4.11) and Leopard (version 10.5.4)
do not adequately randomize DNS source ports.  Apple released Security
Update 2008-005 on Thursday, July 31 to address 17 flaws in its OS X
operating system.
- From Internet Storm Center:
http://isc.sans.org/diary.html?storyid=4810
A quick packet dump of my fully patched Leopard machine (OS X 10.5.4)
shows it is - as a DNS client - still using incrementing ports.
http://www.theregister.co.uk/2008/08/01/osx_still_vulnerable/print.html
http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=209901566

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111363&source=rss_topic17

  Secondly, it wasn't Dan k. that origanally made note of this and many
other DNS security holes that can expose users to serious danger.  That
was done back in 2001 on the old DNSO GA mailing list.

George Kirikos wrote:

> Hello,
>
> Just to followup, ICANN sent out a news release earlier:
>
> http://www.icann.org/en/announcements/announcement-06aug08-en.htm
>
> It's a step in the right direction, to help educate folks. However,
> there's no true "fix", as the protocol itself is broken. A move towards
> DNSSEC or other secure DNS would be the only appropriate long-term
> solution.
>
> If there's ever a cyber 9/11, as Lessig discussed at:
>
> http://news.slashdot.org/article.pl?sid=08/08/05/220229
>
> widespread DNS cache poisoning might be one of the root causes.
>
> I'd like to hear from VeriSign as to whether they're planning to
> implement DNSSEC or a secure DNS alternative for .com/net, as PIR
> intends for .org.
>
> Sincerely,
>
> George Kirikos
> http://www.kirikos.com/
>
> --- George Kirikos <gkirikos@xxxxxxxxx> wrote:
>
> >
> > Hello,
> >
> > ICANN and VeriSign have been oddly quiet over the entire DNS cache
> > poisoning issue:
> >
> > http://www.kb.cert.org/vuls/id/800113
> > http://www.circleid.com/posts/87143_dns_not_a_guessing_game/
> > http://it.slashdot.org/article.pl?sid=08/07/08/195225&tid=172
> >
> > PIR has a pending proposal to implement DNSSEC for .org:
> >
> > http://www.icann.org/registries/rsep/
> >
> > Is that something that VeriSign has plans to accelerate for the
> > important .com and .net registries, in order to prevent a long-term
> > meltdown in DNS confidence/trust should DNS cache poisoning become
> > widespread in August and beyond?
> >
> > No need for a "formal" press release, but I think the community
> > deserves to know that people are working on the long-term solution to
> > this problem, and making it a higher priority relative to other
> > lesser
> > issues.
> >
> > Point #14 in the latest policy newsletter appears to be the only
> > "hint"
> > that a few people are working on things:
> >
> > http://www.icann.org/topics/policy/update-jul08.htm#14
> >
> > Hopefully something will happen before Cairo, as by then there might
> > be
> > widespread disruptions to the internet. Perhaps the Board might want
> > to
> > consider an early special meeting this week or next:
> >
> > http://www.icann.org/minutes/
> >
> > instead of waiting until July 31st, in conjunction with the SSAC.
> >
> > Sincerely,
> >
> > George Kirikos
> > http://www.kirikos.com/

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@xxxxxxxxxxxxx
My Phone: 214-244-4827




<<< Chronological Index >>>    <<< Thread Index >>>