ICANN/GNSO GNSO Email List Archives

[ga]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [ga] What are ICANN and VeriSign doing regarding CERT Advisory #800113 / DNS Cache Poisoning?

  • To: "Joe Baptista" <baptista@xxxxxxxxxxxxxx>, "George Kirikos" <gkirikos@xxxxxxxxx>
  • Subject: Re: [ga] What are ICANN and VeriSign doing regarding CERT Advisory #800113 / DNS Cache Poisoning?
  • From: JFC Morfin <jefsey@xxxxxxxxxxxxxxxx>
  • Date: Thu, 07 Aug 2008 18:11:21 +0200

Amen.
But you did not answer my question about local Unbound running local roots.
Also, I am surprised that no one mentioned the "Web 2.0" need for "TTL 0" to manage access load. In such a case there is no cache.
jfc


At 06:15 07/08/2008, Joe Baptista wrote:



On Wed, Aug 6, 2008 at 10:46 PM, George Kirikos <<mailto:gkirikos@xxxxxxxxx>gkirikos@xxxxxxxxx> wrote:
Hello,
Just to followup, ICANN sent out a news release earlier:

<http://www.icann.org/en/announcements/announcement-06aug08-en.htm>http://www.icann.org/en/announcements/announcement-06aug08-en.htm
It's a step in the right direction, to help educate folks. However,
there's no true "fix", as the protocol itself is broken. A move towards
DNSSEC or other secure DNS would be the only appropriate long-term
solution.


There is nothing wrong with the protocol. Its the software thats the issue. And this is easy to fix. I've run some tests and with a little DNS magic you can make you DNS very secure.

Another big help would be to update your software including any NAT devices.

The whole DNSSEC thing is another red herring in the making.

Also there is nothing ICANN nor anyone else can do about this. The world is running a lot of insecure servers. BIND has always been buggy and true to form it will continue to be buggy. Have you any idea how many buggy systems are out there. i.e. almost all of them. Unless of course your running burnsteins DNS which already fixed this problem a long time ago.

It bother me that people who have no idea what the technical issues are get so easily baited by this issue. George - let go the ICANN red herring. Its just another smoke screen.

The real issue here is what sort of out reach programs is ICANN involved in to get people to upgrade and fix their buggy dns servers. DNSSEC is not going to save them.

cheers
joe baptista



If there's ever a cyber 9/11, as Lessig discussed at:

<http://news.slashdot.org/article.pl?sid=08/08/05/220229>http://news.slashdot.org/article.pl?sid=08/08/05/220229
widespread DNS cache poisoning might be one of the root causes.
I'd like to hear from VeriSign as to whether they're planning to
implement DNSSEC or a secure DNS alternative for .com/net, as PIR
intends for .org.
Sincerely,
George Kirikos
<http://www.kirikos.com/>http://www.kirikos.com/
--- George Kirikos <<mailto:gkirikos@xxxxxxxxx>gkirikos@xxxxxxxxx> wrote:
>
> Hello,
>
> ICANN and VeriSign have been oddly quiet over the entire DNS cache
> poisoning issue:
>
> <http://www.kb.cert.org/vuls/id/800113>http://www.kb.cert.org/vuls/id/800113
> http://www.circleid.com/posts/87143_dns_not_a_guessing_game/
> <http://it.slashdot.org/article.pl?sid=08/07/08/195225&tid=172>http://it.slashdot.org/article.pl?sid=08/07/08/195225&tid=172
>
> PIR has a pending proposal to implement DNSSEC for .org:
>
> <http://www.icann.org/registries/rsep/>http://www.icann.org/registries/rsep/
>
> Is that something that VeriSign has plans to accelerate for the
> important .com and .net registries, in order to prevent a long-term
> meltdown in DNS confidence/trust should DNS cache poisoning become
> widespread in August and beyond?
>
> No need for a "formal" press release, but I think the community
> deserves to know that people are working on the long-term solution to
> this problem, and making it a higher priority relative to other
> lesser
> issues.
>
> Point #14 in the latest policy newsletter appears to be the only
> "hint"
> that a few people are working on things:
>
> <http://www.icann.org/topics/policy/update-jul08.htm#14>http://www.icann.org/topics/policy/update-jul08.htm#14
>
> Hopefully something will happen before Cairo, as by then there might
> be
> widespread disruptions to the internet. Perhaps the Board might want
> to
> consider an early special meeting this week or next:
>
> <http://www.icann.org/minutes/>http://www.icann.org/minutes/
>
> instead of waiting until July 31st, in conjunction with the SSAC.
>
> Sincerely,
>
> George Kirikos
> <http://www.kirikos.com/>http://www.kirikos.com/




--
Joe Baptista
<http://www.publicroot.org>www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative & Accountable to the Internet community @large.
----------------------------------------------------------------
 Office: +1 (360) 526-6077 (extension 052)
    Fax: +1 (509) 479-0084


<<< Chronological Index >>>    <<< Thread Index >>>