Dan Kaminsky

Paul Vixie vixie at isc.org
Tue Aug 4 14:25:54 CDT 2009

Curtis Maurand <cmaurand at xyonet.com> writes:

>> What does this have to do with Nanog, the guy found a critical
>> security bug on DNS last year.
> He didn't find it.  He only publicized it.  the guy who wrote djbdns fount
> it years ago.

first blood on both the DNS TXID attack, and on what we now call the
Kashpureff attack, goes to chris schuba who published in 1993:


i didn't pay any special heed to it since there was no way to get enough
bites at the apple due to negative caching.  when i saw djb's announcement
(i think in 1999 or 2000, so, seven years after schuba's paper came out) i
said, geez, that's a lot of code complexity and kernel overhead for a
problem that can occur at most once per DNS TTL.  and sure enough when we
did finally put source port randomization into BIND it crashed a bunch of
kernels and firewalls and NATs, and is still paying painful dividends for
large ISP's who are now forced to implement it.

why forced?  what was it about kaminsky's announcement that changed this
from a once-per-TTL problem that didn't deserve this complex/costly solution
into a once-per-packet problem that made the world sit up and care?  if you
don't know the answer off the top of your head, then maybe do some reading
or ask somebody privately, rather than continuing to announce in public that
bernstein's problem statement was the same as kaminsky's problem statement.
and, always give credit to chris schuba, who got there first.

> Powerdns was patched for the flaw a year and a half before
> Kaminsky published his article.

nevertheless bert was told about the problem and was given a lengthy window
in which to test or improve his solutions for it.  and i think openbsd may
have had source port randomization first, since they do it in their kernel
when you try to bind(2) to port 0.  most kernels are still very predictable
when they're assigning a UDP port to an outbound socket.
Paul Vixie

More information about the NANOG mailing list