On Wed, Aug 6, 2008 at 10:46 PM, George Kirikos
<<mailto:gkirikos@xxxxxxxxx>gkirikos@xxxxxxxxx> wrote:
Hello,
Just to followup, ICANN sent out a news release earlier:
<http://www.icann.org/en/announcements/announcement-06aug08-en.htm>http://www.icann.org/en/announcements/announcement-06aug08-en.htm
It's a step in the right direction, to help educate folks. However,
there's no true "fix", as the protocol itself is broken. A move towards
DNSSEC or other secure DNS would be the only appropriate long-term
solution.
There is nothing wrong with the protocol. Its the software thats
the issue. And this is easy to fix. I've run some tests and with a
little DNS magic you can make you DNS very secure.
Another big help would be to update your software including any NAT devices.
The whole DNSSEC thing is another red herring in the making.
Also there is nothing ICANN nor anyone else can do about this. The
world is running a lot of insecure servers. BIND has always been
buggy and true to form it will continue to be buggy. Have you any
idea how many buggy systems are out there. i.e. almost all of
them. Unless of course your running burnsteins DNS which already
fixed this problem a long time ago.
It bother me that people who have no idea what the technical issues
are get so easily baited by this issue. George - let go the ICANN
red herring. Its just another smoke screen.
The real issue here is what sort of out reach programs is ICANN
involved in to get people to upgrade and fix their buggy dns
servers. DNSSEC is not going to save them.
cheers
joe baptista
If there's ever a cyber 9/11, as Lessig discussed at:
<http://news.slashdot.org/article.pl?sid=08/08/05/220229>http://news.slashdot.org/article.pl?sid=08/08/05/220229
widespread DNS cache poisoning might be one of the root causes.
I'd like to hear from VeriSign as to whether they're planning to
implement DNSSEC or a secure DNS alternative for .com/net, as PIR
intends for .org.
Sincerely,
George Kirikos
<http://www.kirikos.com/>http://www.kirikos.com/
--- George Kirikos <<mailto:gkirikos@xxxxxxxxx>gkirikos@xxxxxxxxx> wrote:
>
> Hello,
>
> ICANN and VeriSign have been oddly quiet over the entire DNS cache
> poisoning issue:
>
>
<http://www.kb.cert.org/vuls/id/800113>http://www.kb.cert.org/vuls/id/800113
> http://www.circleid.com/posts/87143_dns_not_a_guessing_game/
>
<http://it.slashdot.org/article.pl?sid=08/07/08/195225&tid=172>http://it.slashdot.org/article.pl?sid=08/07/08/195225&tid=172
>
> PIR has a pending proposal to implement DNSSEC for .org:
>
>
<http://www.icann.org/registries/rsep/>http://www.icann.org/registries/rsep/
>
> Is that something that VeriSign has plans to accelerate for the
> important .com and .net registries, in order to prevent a long-term
> meltdown in DNS confidence/trust should DNS cache poisoning become
> widespread in August and beyond?
>
> No need for a "formal" press release, but I think the community
> deserves to know that people are working on the long-term solution to
> this problem, and making it a higher priority relative to other
> lesser
> issues.
>
> Point #14 in the latest policy newsletter appears to be the only
> "hint"
> that a few people are working on things:
>
>
<http://www.icann.org/topics/policy/update-jul08.htm#14>http://www.icann.org/topics/policy/update-jul08.htm#14
>
> Hopefully something will happen before Cairo, as by then there might
> be
> widespread disruptions to the internet. Perhaps the Board might want
> to
> consider an early special meeting this week or next:
>
> <http://www.icann.org/minutes/>http://www.icann.org/minutes/
>
> instead of waiting until July 31st, in conjunction with the SSAC.
>
> Sincerely,
>
> George Kirikos
> <http://www.kirikos.com/>http://www.kirikos.com/
--
Joe Baptista
<http://www.publicroot.org>www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive,
Representative & Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084