Dan Kaminsky

bert hubert bert.hubert at netherlabs.nl
Wed Aug 5 01:24:16 CDT 2009


On Tue, Aug 4, 2009 at 9:25 PM, Paul Vixie<vixie at isc.org> wrote:
> i didn't pay any special heed to it since there was no way to get enough
> bites at the apple due to negative caching.  when i saw djb's announcement
> (i think in 1999 or 2000, so, seven years after schuba's paper came out) i
> said, geez, that's a lot of code complexity and kernel overhead for a
> problem that can occur at most once per DNS TTL.  and sure enough when we

Even then it was worth it, and it was silly that the DNS community ignored him.

Note that work on RFC 5452 started two years before Kaminksy's announcement.

>> Powerdns was patched for the flaw a year and a half before
>> Kaminsky published his article.
>
> nevertheless bert was told about the problem and was given a lengthy window
> in which to test or improve his solutions for it.  and i think openbsd may

You told me about the problem so I would not accidentally reveal it in
process of working on and discussing my draft. You also told me you'd
block progress of the draft until after the Kaminsky announcement. And
given the tactics you employ on the IETF DNSEXT mailinglist, I knew
you'd succeed. Recall that the draft contained 'MUST' wording that
would've made it embarrassing for BIND *not* to implement source port
randomization.

I didn't have to make any changes to PowerDNS as I was aware of the
danger of using a single source port already. In addition, remember
the one famous succeeded attempt to spoof a source port randomizing
nameserver, which took 10 hours and gigabit speeds? The same guy
attempted this attack against PowerDNS, and failed for a simple (and
accidental) reason.

It turns out that PowerDNS query throttling and PowerDNS timeout
caching makes it very hard to find the sweet spot between generating
enough queries to spoof a domain in a timely manner, but not
overloading the server or the network to the point that timeouts will
be generated, which leads to PowerDNS to no longer sending out
queries.

That does not mean that I think the DNS is 'safe' now. My other
attempt to increase DNS security in a simple way ('EDNS PING') was
blocked as effectively as the RFC 5452 drafts were, and I've given up
on that route. See
http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00760.html

I'll be at HAR2009 next week, and I understand both Kaminksy and
EDNS-PING co-author David Ulevitch will be there, which should be fun.

I'll also be presenting on DNS security risks, which will cover the
subjects above as well.

     Bert




More information about the NANOG mailing list