Re: [ga] Kaminsky on dns bugs - Bernstein responds

["Joe Baptista" <baptista@xxxxxxxxxxxxxx>]

On Sat, Aug 9, 2008 at 7:25 PM, JFC Morfin <jefsey@xxxxxxxxxxxxxxxx> wrote:

>  At 05:58 09/08/2008, Joe Baptista wrote:
>
> On Fri, Aug 8, 2008 at 11:11 PM, JFC Morfin <jefsey@xxxxxxxxxxxxxxxx >
> wrote:
>  Joe,
> you do not want to answer my question?
> Is a local nameserver using a local root subject to that kind a security
> problem?
>
> Sorry Jefsey - I don't have a problem with answering that question.  I
> assume you asked it and I missed it.
>
> The answer is yes if the local root is a recursive server.
>
>
> Sorry, I missed that. Obviously, only local querries allowed.
>

Thanks for correcting the  "is" to an if.  Well no. That is not the case.
This is not a dns centric problem.  The problem is the programmers who been
going down the merry patching trail - i'll call them "Vixie and his vixens"
and in my opinion Kaminsky is one of those vixens.

All you need to do to avoid this issue is install a server that works.
That will prevent your server from being abused.  The problem however does
not go away.  Your recursive root server is still vulnerable to the problem
because every other server on the internet is also vulnerable to the
problem.  And most servers have not been patched.

I used to keep statistics of the server versions many years ago.  But I
expect things have not changed much and chances are most servers on the net
will not be patched.  And any one of those servers can give you bogus
answers if they are vulnerable.

One can implement programs that secure dns numbers out side the dns itself
to keep things kosher.  When you have the budget give me a ringy dingy on
that when you get a budget.

Another thing that can be done is someone with a budget and an interest in
security can audit the existing known dns and then proceed to contact the
upstreams.  Thats a project for a benevolent association.

Bottom line - ICANN with its resources could so easily secure the net.  It
could do the work I have outlined in general terms above.  Instead it is
trying to make itself king by hyping up the hysteria to get the world to
convert to DNSSEC and give the vixie vixen 13 roots control of all internet
transactions.  No one has the right to that much power.


> The reason why I ask is that at france@large we start working on "*Internet
> Plus*" as a user architecture transparent to the legacy Internet.
>

How is that different from what I did at the HEX.  Sounds like the same
concept.  In any case its a root structure I will support in principle.


> The problem is obviously Windows.
>

windows is not a problem.  to build such a network you should think outside
the standard port ranges.  just design a little smart program to point the
windows resolver to x.x.x.x and x.x.x.x at port 3000 and auto update.


> However, Unbound should be ported under Windows. So, I plan starting
> campaigning for an "Internet Plus" by way of usage, using Unbound as a local
> resolver, using a local root file, hence calling directly the TLD servers.
>

well the next scare i'm sure they will have now that the DNSSEC nonsense is
in the wind is scare ISPs into closing down port 53.  So think three
thousand.


> At the same time, I want to see how to use an *IPv6 /3 Block* to establish
> a people's IPv6 numbering plan for application sub-numbering (using the IPv6
> header this way will be labeled "*TCP/IPP*" (IP Plus").
>

IPv6 tunneling - lots of experiments done on that.  Not much IPv6 out
there.  Unless of course you take into consideration that any ipv4 number
can be an ipv6 block.

The IPv6 TF supports this. Obviously this Internet Plus will be a
> competitive offer against the "*Internet for the Rich*" proposed by ICANN
> and will use a "*Competitive Root*" as required by the NTIA (ICANN is to
> better foster compeition)  which willl be an Internet plus "*by the people
> for the people in support of the people centric Information Society*",
> which is the WSIS consensus.
>

I don't mind the rich being involved in the expansion of the internet.  The
HEX had alot of rich people involved and thats how we got the Turkish
government on board.  The trick here is getting the rich to accept that they
are no longer in charge of the DNS.  Much of the DNS these days is run by
various countries.  ICANNs market share has dropped to 70%.  Thats
significant.

this is going to be a fun year.  the year the bwg saved icann or failed in
the process.  the bwg, the last bastion of the intellectuals.  will they win
or lose.

cheers
joe baptista

-- 
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084