Massive, Coordinated Patch To the DNS Released

← Back to Stories (view on slashdot.org)

Massive, Coordinated Patch To the DNS Released

Posted by kdawson on Tuesday July 8, 2008 @07:12AM from the pretty-much-everybody dept.

tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible."

12 of 315 comments (clear)

Min score:

Reason:

Sort:

Re:So give a layman explanation by X0563511 · 2008-07-08 07:18 · Score: 3, Insightful

Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients.
If you don't understand that, you don't need to care.

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
More independent verification needed by suso · 2008-07-08 07:19 · Score: 3, Insightful

Here everyone, install this patch to your Unix/Linux DNS servers that was conceived of on the Microsoft campus.
While if true, one should be expedient to fix it, one should also be careful to verify that this is true.
1. Re:More independent verification needed by suso · 2008-07-08 07:28 · Score: 3, Insightful
  
  Well of course it is. Anyone can make a list. From the investigating I'm doing right now, it does seem to be legit. But I just think its important to be careful. Don't just blindly patch what is probably the most critical service on your network.
2. Re:More independent verification needed by isorox · 2008-07-08 08:10 · Score: 3, Insightful
  
  but if it's something you consider that critical and are that suspicious of, yes, your staff should have the relevant expertise in-house to read and evaluate what's going on.
  Or have the ability to recognise they are out of their depth and be able to use resources from other departments (or even external suppliers)
3. Re:More independent verification needed by Penguin+Follower · 2008-07-08 08:17 · Score: 4, Insightful
  
  So you are insinuating that all system admins also have to be programmers? There are plenty of people with the skills to set up, maintain, and secure (properly) systems of all kinds (*nix, Windows, Macs, Cisco equip) who are NOT programmers. Some people are not cut out to be programmers, but are quite capable outside of that realm...
4. Re:More independent verification needed by Schraegstrichpunkt · 2008-07-08 08:29 · Score: 4, Insightful
  
  Right... How many otherwise competent sysadmins do you know who can't C code? I've known plenty. Usually the good coders get jobs as coders, rather than as sysadmins.
  
  --
  http://outcampaign.org/
5. Re:More independent verification needed by lukas84 · 2008-07-08 08:37 · Score: 5, Insightful
  
  Why the sarcasm? If you're hiring sysadmins who aren't also system-level developers, you're not hiring people who can Do The Job Right.
  People with that amount of expertise will hardly be challenged by sysadmin position. And without a challenge you'll get bored. As such, you'll never find people with such high qualifications in sysadmin position.
  A sysadmin of course needs to know his stuff, and especially a unix sysadmin should be able to read C code and get the basics (and have extensive knowledge in scripting languages).
  But i doubt that understand the gritty details how bind works (or reading a DNS packet with just a hex editor) is something that can be expected from a sysadmin.
  But i also might just be defending my lack of knowledge, so beware :)
Re:Hmmm by outZider · 2008-07-08 07:36 · Score: 4, Insightful

Because it isn't 1912, and we aren't on the Titanic. They can say with reasonable confidence that it's difficult to find the underlying issue, but nothing is hackproof, or sinkproof, or lameproof.

--
- oZ
// i am here.
Re:My first response is to call Bullshit by winkydink · 2008-07-08 08:36 · Score: 3, Insightful

Google Dan Kaminsky and come back and talk.

--
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Re:Oh cool! by GeffDE · 2008-07-08 08:37 · Score: 5, Insightful

Seriously, is an IP address too much to ask?

Article should be modded +1 Ironic because the links necessitate the use of DNS...at the very least, the DNS checker should have been a straight IP.

WTF?

--
It has been a nervous year, with people beginning to feel like Christian Scientists with appendicitis.
Re:The real solution... by Ethanol · 2008-07-08 10:40 · Score: 3, Insightful

The largest DLV repository that validates that the DNSKEYs belong to who they say they belong to (think Verisign-style verification), is run by isc.org.
(My employer, BTW.)

I'm a part of a DNSSEC monitoring project (called SecSpider). [...] This serves the same purpose as ISC's repo, but the data is collected in an orthogonal manner. We currently have DLV records for over 12000 zones, although we haven't directly verified the identity of any of them.
That's an intriguing idea, but it doesn't really serve the same purpose as ISC's DLV until you do verify identity. (Would UCLA's lawyers be comfortable with someone relying on your DLV record repository for, say, banking transactions?)
Re:So give a layman explanation by deathsyn · 2008-07-08 14:07 · Score: 5, Insightful

Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients.
If you don't understand that, you don't need to care.
What's funny is that the CERT advisory gives Dan Bernstein credit for the work around, which he came up with over 7 years ago.