Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?

Paul Vixie vixie at isc.org
Thu Jul 24 10:54:44 CDT 2008


> > > 11 seconds.
> > >
> > > and at&t refuses to patch.
> > >
> > > and all iphones use those name servers.
> > 
> > Has at&t told you they are refusing to patch?  Or are you just spreading
> > FUD about at&t and don't actually have any information about their plans?
> 
> I believe it is a hypothetical situation being presented...

so, noone else has had multiple copies of the following fwd'd to them with
the heading, "WTF,O?"  note that it's full of factual errors but does seem
to represent AT&T's position on CERT VU# 800113.  that someone inside AT&T
just assumed that this was the same problem as described in CERT VU#252735
and didn't bother to call CERT, or kaminsky, or me, to verify, ASTOUNDS me.

(if someone from AT&T's DNS division has time to chat, my phone numbers are
in `whois -h whois.arin.net pv15-arin`.)

---

"AT&T Response: US-CERT DNS Security Alert- announced July 8, 2008

On July 8, 2008, US-CERT issued a Technical Cyber Security Alert
TA08-190B with the title 'Multiple DNS implementations vulnerable to
cache poisoning.'  This alert describes how deficiencies in the DNS
protocol and common DNS implementations facilitate DNS Cache poisoning
attacks. This vulnerability only affects caching DNS servers, not
authoritative DNS servers. This alert instructed administrators to
contact their vendors for patches.

The DNS community has been aware of this vulnerability for some time.
CERT technical bulletin http://www.kb.cert.org/vuls/id/252735 issued in
July, 2007, identified this vulnerability but at the time no patches
were available from vendors.

AT&T does not disclose the name of its DNS vendors as a security measure
but has implemented a preliminary patch that was available in January,
2008. The latest patch for alert TA08-190B is currently being tested and
will be deployed in the network as soon as its quality has been assured.

AT&T employs best practices in the management of its DNS infrastructure.
For example, the majority of AT&T's caching DNS infrastructures have
load balancers.  Load balancers decrease the risk significantly because
hackers are unable to target specific DNS servers.  As with all patches
to software affecting AT&T's production networks and infrastructure,
AT&T first tests the patches in the lab to ensure they work as expected
and then certifies them before deploying them into our production
infrastructure.

Conclusion:

Security is of paramount importance to AT&T. AT&T has a comprehensive
approach to the security of its networks and supporting infrastructures.
AT&T is meeting or exceeding our world-class DNS network performance
measures.  We will continue to monitor the situation and will deploy
software upgrades, as warranted, following our structured testing and
certification process."

===

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.





More information about the NANOG mailing list