Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive, Coordinated Patch To the DNS Released

Posted by kdawson on from the pretty-much-everybody dept.

tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible."

3 of 315 comments (clear)

  1. Re:More independent verification needed by lukas84 · · Score: 5, Insightful

    Why the sarcasm? If you're hiring sysadmins who aren't also system-level developers, you're not hiring people who can Do The Job Right.

    People with that amount of expertise will hardly be challenged by sysadmin position. And without a challenge you'll get bored. As such, you'll never find people with such high qualifications in sysadmin position.

    A sysadmin of course needs to know his stuff, and especially a unix sysadmin should be able to read C code and get the basics (and have extensive knowledge in scripting languages).

    But i doubt that understand the gritty details how bind works (or reading a DNS packet with just a hex editor) is something that can be expected from a sysadmin.

    But i also might just be defending my lack of knowledge, so beware :)

  2. Re:Oh cool! by GeffDE · · Score: 5, Insightful

    Seriously, is an IP address too much to ask?

    Article should be modded +1 Ironic because the links necessitate the use of DNS...at the very least, the DNS checker should have been a straight IP.

    WTF?

    --
    It has been a nervous year, with people beginning to feel like Christian Scientists with appendicitis.
  3. Re:So give a layman explanation by deathsyn · · Score: 5, Insightful

    Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients.

    If you don't understand that, you don't need to care.

    What's funny is that the CERT advisory gives Dan Bernstein credit for the work around, which he came up with over 7 years ago.