Paul Vixie Responds To DNS Hole Skeptics

syncro writes "The recent massive, multi-vendor DNS patch advisory related to DNS cache poisoning vulnerability, discovered by Dan Kaminsky, has made headline news. However, the secretive preparation prior to the July 8th announcement and hype around a promised full disclosure of the flaw by Dan on August 7 at the Black Hat conference has generated a fair amount of backlash and skepticism among hackers and the security research community. In a post on CircleID, Paul Vixie offers his usual straightforward response to these allegations. The conclusion: 'Please do the following. First, take the advisory seriously — we're not just a bunch of n00b alarmists, if we tell you your DNS house is on fire, and we hand you a fire hose, take it. Second, take Secure DNS seriously, even though there are intractable problems in its business and governance model — deploy it locally and push on your vendors for the tools and services you need. Third, stop complaining, we've all got a lot of work to do by August 7 and it's a little silly to spend any time arguing when we need to be patching.'"

I'm not worried

[niceone]

I just remember the IP addresses and type them in myself. How hard is that?

Re:I'm not worried

[socsoc]

That's really hard on web servers that host multiple domains on a single IP. Virtual hosting isn't exactly a new idea.

Re:I'm not worried

[queldor]

Are you going to remember IP address in IPv6 also? Seems to me that DNS will become more important.

Re:I'm not worried

[Klaus_1250]

Why is that hard? Still works with IP-addresses. The only thing you need to do is to supply the Host-field as per HTTP/1.1.

Re:I'm not worried

[Atti+K.]

Damn, I forgot... what was slashdot again?

Re:I'm not worried

[pato101]

I just remember the IP addresses and type them in myself. How hard is that?

Gentlemen, We are reading a post from Chuck Norris. Of course he is a "niceone", anyone willing to disagree?

Re:I'm not worried

[Nullav]

216.34.181.48

Re:I'm not worried

[cnettel]

I just remember the IP addresses and type them in myself. How hard is that?

That's all well and dandy until banner ads start flashing subliminal messages of unauthorized zone updates to you.

Re:I'm not worried

[Toutatis]

How can you know then that the flaw isn't in your mind too.

Re:I'm not worried

[morgauo]

Meh! Just put the domains in your hostfile.... All of them....

Re:I'm not worried

[Atti+K.]

Where did you get thet? From a (unpatched!) DNS server maybe?

Re:I'm not worried

[Nullav]

Hey!
I am an unpatched DNS server, you insensitive clod!

Re:I'm not worried

whois record lookup and phone to sourceforge instead of typing nslookup
i do that for every website i visit. its secure.

Re:I'm not worried

You just need to remember harder.

Re:I'm not worried

[element-o.p.]

Not really:

$ telnet 209.112.170.79 80
Trying 209.112.170.79...
Connected to 209.112.170.79.
Escape character is '^]'.
GET http://www.element-o-p.com/
<...snip...>
$

Works just fine.

EDIT: Ignore the "[element-o-p.com]" in the snippet above -- /. is editing my post to make sure the URL in the GET line is unobfuscated -- even though it's not supposed to be a link (grrrr....)

Re:I'm not worried

[Lennie]

That's why 'smart' people use /etc/hosts. That solves the problem of remembering and of the HTTP-host-header.

Re:I'm not worried

[bill_mcgonigle]

EDIT: Ignore the "[element-o-p.com]" in the snippet above -- /. is editing my post to make sure the URL in the GET line is unobfuscated -- even though it's not supposed to be a link (grrrr....)

You Preview? Welcome to the 1%.

Re:I'm not worried

I use hosts. Paul, come-in Paul.

Re:I'm not worried

[element-o.p.]

Yeah, I like to be different :)

Re:I'm not worried

[camperslo]

I'm wondering how feasible it would be to provide some added DNS protection at the client end. Most of the computers and consumer routers I've dealt with took entries for three DNS servers (or got them by DHCP). I'm not sure whether all three get queried and the first result used, or the first queried, then the second if there's no response from the first?

Behavior probably varies by OS as this short tale illustrates a bug in Mac OS 9: (back on topic after this...)
Years ago I encountered a problem where some Mac OS 9 users using DHCP with Charter were getting "dead browser" behavior. They were not getting any DNS lookup when the first of the three Charter was giving by DHCP was a dead server. The Macs apparently weren't trying or using the results from the other two. Although I'd told Charter about it, the support person didn't apparently didn't think it mattered because I said I had my system running fine by using a different server with the DNS IPs entered manually. On visiting a friend having what he called "no connectivity" ask me to fix his machine, I found the problem was still there over 6 weeks later!!
At that point I called support and asked for a supervisor (which got me to someone in tier 2 management), and when I explained what was going on and that it had no doubt been affecting a number of people the response was "Oh shit!".... At last someone understood. Later that day I saw the DHCP server had been reconfigured to list one of the working DNSs twice, deleting the entry for the server that was down...

What I'm wondering now, is couldn't our client machines make better use of multiple DNS servers? I would have hoped they would ping all available occasionally (or just time lookup results), then make the fastest one the default to reduce latency.
Many times when I've seen people complaining their system was slow (for web surfing), the problem seemed to be DNS latency rather than one of bandwidth.
For the current topic where the trustworthiness of DNS results is the big issue, perhaps there could be a client mode that looks at the DNS results and requires all three, or at least two of three, to agree. That'd be slower, but more secure.
Perhaps some sort of alert box could be presented. Or perhaps something (like Apple's software update) could temporarily automatically throw the lookup into a require two or three matched results mode, while normally just using the fastest one?
I suppose the fastest could always be used, and then a warning dialog/alert box thrown up if the other servers disagree.
Of course it would probably best best if the three servers were unrelated, maybe one from the clients ISP, OpenDNS, and a third somewhere else. An added benefit might be optional detection/blocking of DNS provided ad pages.

stability

[eneville]

ive never had to change tinydns installs for security reasons

Re:stability

[hostyle]

I heard that this "security fix" is the addition of support for the Evil Bit.

The back-biting is shameful

[hal9000(jr)]

this article at information week said it best the day after the announcement.

Geez, if you want responsible disclosure, you have to trust the experts when they say "it's new and it's bad"

Re:The back-biting is shameful

[Talsan]

Haven't enough people been hurt by blindly trusting "experts"?* If there's one thing that everyone should have learned by now, if someone says "trust me", you should be skeptical.

This issue may be huge. But without all the necessary information, you can't make an informed decision as to whether or not you believe it is.

*This doesn't mean to imply that I don't think they're experts in their field.

Re:The back-biting is shameful

[morgan_greywolf]

Geez, if you want responsible disclosure, you have to trust the experts when they say "it's new and it's bad">

And that's one reason why I keep saying to hell with 'responsible disclosure'. But the more I say that the more people look at me like I'm some kind of space alien who just landed in a flying saucer.

Maybe then we wouldn't have software vendors taking weeks, months or years to patch remotely exploitable bugs (yes, I'm looking at YOU, Microsoft)

Re:The back-biting is shameful

[wild_quinine]

If there's one thing that everyone should have learned by now, if someone says "trust me", you should be skeptical.

No, you're off message. They need to click continue, because the screen has gone all dark and they can't get back to their web browser.

Re:The back-biting is shameful

[tyler.willard]

This issue may be huge. But without all the necessary information, you can't make an informed decision as to whether or not you believe it is.

That same information that allows you to make an "informed decision", as you so blithely put it, puts the integrity of the entire infrastructure and, more to the point, the information security of a whole lof of people at tremendous risk. Dammit, that's the whole point of the OP's observation and why people argue about disclosure in the first place.

Re:The back-biting is shameful

[Goaway]

So, you figure eighty vendors coordinated a simultaneous patch for some issue that is not really a big deal, probably just some guys vying for attention?

Re:The back-biting is shameful

[tyler.willard]

Maybe then we wouldn't have software vendors taking weeks, months or years to patch remotely exploitable bugs (yes, I'm looking at YOU, Microsoft)

Sure you would; and the blame for any damage would be blamed on who made the disclosure.

There is nothing wrong with how this was/is being handled. Limited disclosure with a solid and "reasonable" deadline is a perfectly fine way to balance the myriad issues with security threats.

Re:The back-biting is shameful

Geez, if you want responsible disclosure, you have to trust the experts when they say "it's new and it's bad"

I don't want "irresponsible disclosure". I don't want to be vulnerable, while major corporations get to do marketing damage control. They had a hole. Ok, everyone makes mistakes. They found the hole. Great, then we can do something about it. Or not, because they kept quiet about it while secretly writing the fixes. They kept quiet about it for long enough that even Microsoft had fixes ready.

Meanwhile, peoples DNS servers have been exploitable. Yes, they were exploitable before that, but no good guys knew, and bad guys tend to keep information to themselves, so they can keep expanding their botnets.

But at least their image wasn't damaged by "you don't even have a patch yet? How many months is it going to take? (See Microsoft Internet Explorer)". The only victims were unsuspecting customers, who didn't turn the damn thing off (or at least replaced it with something like djbdns), because they weren't told that it was broken in the first place.

The "good guys" kept the information to themselves, until they had done their part. Just like the bad guys do. So where's the difference between the bad guys and the "good guys"?

Paul himself compared it with a house being on fire. If your neighbours house was on fire, would you be working in secret to fireproof the fence, and then tell your neighbour a few days later, "oh, btw, your house is on fire, started a couple of days ago. Here's a fire hose, see if anything can still be saved"?

They didn't take the hole seriously enough to warn us before "marketing damage control" was done. Why should we take it more seriously?

Re:The back-biting is shameful

Why should we take it more seriously?

Because the house is still on fire, whether you like their information policy or not.

Re:The back-biting is shameful

[Talsan]

That same information ... puts the integrity of the entire infrastructure and, more to the point, the information security of a whole lof of people at tremendous risk.

Extremist talk and dire predictions are great, but where have they gotten us in the past? Vixie claims that "Everything we thought we knew was wrong", but at the same time, we know that there are DNS systems and services that did not have this vulnerability, so obviously some people had already given this type of issue some thought.

I'm not saying don't patch. --Security holes should be fixed, after all. But if you tell people a house is on fire when there are no flames and no smoke, don't be surprised when people are skeptical.

Re:The back-biting is shameful

Right, but I have this messy and inconvenient halon fire suppression system. I don't want to use it, because it makes my life more difficult, but if the fire department can't make it for a few months, then maybe I'm going to use that system before the fire spreads to my wallet.

Yeah, that's it, stretch that fucking metaphor. Streeetch!

Re:The back-biting is shameful

[pfleming]

Maybe then we wouldn't have software vendors taking weeks, months or years to patch remotely exploitable bugs (yes, I'm looking at YOU, Microsoft)

Sure you would; and the blame for any damage would be blamed on who made the disclosure.

There is nothing wrong with how this was/is being handled. Limited disclosure with a solid and "reasonable" deadline is a perfectly fine way to balance the myriad issues with security threats.

Except Microsoft doesn't handle things this way. If this had been only a Windows issue we would have never heard about it. The fact that Open Source is vulnerable as well means that we will eventually know what the problems were and be able to look to see that it was fixed in the Open Source versions.

Re:The back-biting is shameful

[tyler.willard]

What does any of that have to do with the process or are you implying that disclosure policy is nothing to be concerned about?

Re:The back-biting is shameful

[tyler.willard]

This has nothing to do with any specific vendor or open source.

This issue is about how and when independent researchers disclose a vulnerability they find.

Re:The back-biting is shameful

When the so-called experts are in fact the parties responsible in the first place, then why the hell should we trust them? Of course, I don't want responsible disclosure. This is "real bad", and it has now been disclosed to probably a hundred random security and ops dweebs around the Internet. You going to trust every one of them? Let's see if it leaks before Blackhat....

Re:The back-biting is shameful

[repvik]

Vixie claims that "Everything we thought we knew was wrong", but at the same time, we know that there are DNS systems and services that did not have this vulnerability, so obviously some people had already given this type of issue some thought.

No. Not all dns systems/services may be vulnerable, but this might not be because of forethought but rather a different design paradigm (buzzword alert, I know). They might just have been designed differently for other reasons, and non-vulnerability to this exact flaw may be a side-effect.

Re:The back-biting is shameful

[blincoln]

The fact that Open Source is vulnerable as well means that we will eventually know what the problems were and be able to look to see that it was fixed in the Open Source versions.

Anyone with a serious interest in finding out the details of the flaw doesn't need the source code to figure it out, or to see what changes were made to address it. All they need are the binaries and a disassembler.

Re:The back-biting is shameful

[Lennie]

It was because of forethought of one man, DJB (Bernstein).

Re:The back-biting is shameful

[Lennie]

Not in this case, in this case seeing the source changes doesn't really help, it's more like a protocol-design-flaw. And the bugfix is just a workaround.

Re:The back-biting is shameful

[Goaway]

Haven't enough people been hurt by blindly trusting "experts"?

Do tell us what you think the ration of people saved to people hurt by blindly trusting experts is.

Re:The back-biting is shameful

[bill_mcgonigle]

Maybe then we wouldn't have software vendors taking weeks, months or years to patch remotely exploitable bugs (yes, I'm looking at YOU, Microsoft)

Somebody benefits from the status quo.

Re:The back-biting is shameful

[morgan_greywolf]

A wise man, you are.

Re:The back-biting is shameful

I'm not saying don't patch. --Security holes should be fixed, after all. But if you tell people a house is on fire when there are no flames and no smoke, don't be surprised when people are skeptical.

That's straw-man argument. Nobody is saying anything comparable to "house is on fire", an example where the lack of fire/smoke would be obvious. This situation is more similar to a gas-leak warning.

Imagine being told that your coin boxes have a counterfeiting vulnerability that's higher risk than what one would normally expect and a weight-checking option should be added. You could do nothing just assuming that counterfeiting coins is too much effort to be likely. Then later word gets out that metal knock outs from electrical boxes installed at construction sites just happen to be the right size... next thing you know the kids all over town are collecting slugs...
(The potential loss in this example is low, and it is an example from long ago... and the size of the knock-outs has been changed and coin boxes now probably do check things like weight... and if modification is needed hardware is tougher to deal with than software, but hopefully you get the idea).

The potential damage from DNS-based hijacking is huge. The changes suggested make sense as far as they go and do not appear to offer any risk of introducing new vulnerabilities.
Can you cite any good reason NOT to act on the advice given????

Vixie claims that "Everything we thought we knew was wrong"...

Oh really. Looks like you made another straw man, and you use quotes as if he'd actually said that. I call B. S.

Re:The back-biting is shameful

But if you tell people a house is on fire when there are no flames and no smoke, don't be surprised when people are skeptical.

I think the situation is more analogous to being told that "a potentially incendiary situation exists" when you have hay all over your floor, 5 gallon cans of paint thinner stacked all over the place (and a few of them are leaking) and a light fixture that periodically throws sparks.

Re:The back-biting is shameful

[Kerkyon]

Vixie claims that "Everything we thought we knew was wrong"...

Oh really. Looks like you made another straw man, and you use quotes as if he'd actually said that. I call B. S.

RTFA. He did actually say that. (Though I agree with most of what you said.)

Re:The back-biting is shameful

[CrazedWalrus]

Depends on whether their expertise extends beyond the word "expert" in front of their names.

The problem is that many people are introduced as experts that aren't really experts and don't have the background that the term implies. The modern media is great for implying expertise or authority on a given topic without there being any basis for it.

Example: Why interview Pat Robertson on economic issues? People who don't know who Pat Robertson is will assume he's an authority on the topic at hand. Otherwise, why would he be interviewed?

Re:The back-biting is shameful

There's been some speculation that part of the issue is knowing the source port of the DNS response. Randomized ports (and in general, as much unpredictability as you can get away with while still maintaining interoperability) is well-known to be useful to security. Someone implementing a DNS server using randomized source ports for each query would already be well on their way towards minimizing the scope of this vulnerability (assuming that the speculation is correct) without necessarily understanding the impact of guessable ports.

Re:The back-biting is shameful

[Lost+Race]

you have to trust the experts when they say "it's new and it's bad"

OK... How bad? "Real bad" doesn't really help me at all. To make an informed decision I need to know four things:

1. Cost of patching
2. Cost of failure due to not patching
3. Probability of failure due to not patching
4. Probability of failure in spite of patching

#1 is making my firewall basically wide open to UDP. #2 is cache poisoning. Without knowing more about Kaminsky's attack, I can't really make any useful guesses about #3 and #4.

For now I've allocated a sub-range of non-privileged UDP ports that I can guarantee won't be used by other processes, and relaxed the firewall to allow BIND to use those ports. According to the dig test posted in TFA's comment section my server's security is still "POOR", so apparently 8000 ports (~13 bits of entropy) isn't enough. According to Kaminsky and Vixie 64000 ports (~16 bits) would be enough. WTF? Enough for what? I need a better explanation of what's really going on here before I can feel like I'm making an improvement by opening up the UDP firewall completely.

Still not knowing anything I get the feeling (and I'd rather not have to rely on vague feelings or opaque assurances) that there must be a way to detect and mitigate cache poisoning attacks, rather than just increasing the cost of a brute-force attack by factor of some small power of two through a slight increase in unpredictability.

Re:The back-biting is shameful

RTFA. He did actually say that. (Though I agree with most of what you said.)

Opps... stuck my foot all the way in my mouth that time. A bit surprised at his choice of language though

I usually do RTFA, but it was /.'d or my DNS was constipated

for a good time, paste this into Terminal:

dig porttest.dns-oarc.net in txt

Re:The back-biting is shameful

[mibh]

It was because of forethought of one man, DJB (Bernstein).

I'm pretty sure that if DJB had known about the attack Kaminsky found that kicked off the current crisis, he would have let us know. Note that I consider his UDP port randomization to be ingenius, and BIND 9.5.0 was already scheduled to have it even before ISC heard about Kaminsky's attack. Maybe DJB was disgusted with the laboratory-toy design simplicity of the DNS protocol, or maybe he's naturally conservative, or maybe this was low hanging fruit (why not use a nonce if nature gives you one?)

Given the troubles we're encountering with firewalls and NAT/PAT boxes as we roll out UDP port randomization internet-wide, I think there was a cost:benefit equation here, and that in the absence of Kaminsky's specific attack, a the price of UDP port randomization was too high, whereas now that we know about Kaminsky's attack, no price is too high.

A grown-up attitude from Vixie

[Kohath]

If he posted that here, it would get modded Flamebait or Troll.

Doctors make the worst patients

[wild_quinine]

... and IT admins make the worst end users.

Knowing how to run a system is not purely technical knowledge, it's also a measure of professional ability. That means knowing when to take advice, and knowing who to take it from.

Re:Doctors make the worst patients

Dood, I don't take much advice from people who say "I will totally give you props".

Also, prepare your botnets

You don't want to be lagging behind the competition. First on the unpatched box owns it.

Unfortunately, what else is new?

[geekmux]

Security expert discovers flaw

Tries to do the right thing and report it responsibly to vendors. Coordinates patch day responsibly.

People ignore it/blow it off/procrastinate and then proceed to throw blame and lawsuits against those who tried to help them in the first place.

They require a license to drive a car on a highway. Sure as hell would thin out the herd to require a license to drive a server on the information superhighway.

Re:Unfortunately, what else is new?

[mrsbrisby]

Not exactly.

This flaw was well known in 1990. Paul Vixie has been dragging his feet for almost twenty years with crack-potted shit like "additional credibility rules" and extra complexity.

How to fix this bug trivially was well known over ten years ago and still the ISC has been refusing to secure its users because they want to push DNS-SEC- a security system based on a trust hierarchy that doesn't exist, whose implementation has never worked, and will never work because Paul is a fucking idiot who cares more about his own ego than just admitting he was wrong and learning to live with it.

Look even now:

Second, take Secure DNS seriously, even though there are intractable problems in its business and governance model

He can't help himself. He's a douchebag, and I hope he just leaves the Internet business forever. We'd all be much better for it.

Re:Unfortunately, what else is new?

[danFL-NERaves]

Your mad ad hominem attack skills have convinced everyone that Paul Vixie is the know nothing douchebag in this conversation. Kudos!

Re:Unfortunately, what else is new?

[theskov]

I don't really see where the trivial fix is, in the linked document. Are you talking about the fix that means renaming all domains to be too long to remember? How is that any better than using the raw IP-addresses?

Re:Unfortunately, what else is new?

From reading the comments on the matasano blog, I get a sneaky suspicion that the port randomisation is a mid-term workaround that they want everyone to get into place, before they reveal the actual hole (and fix, I hope). I don't think the port randomisation is the final fix...

The fact that he says (emphasis mine):

"So, as a temporary workaround, the affected vendors are recommending that Dan Bernstein's UDP port randomization technique be universally deployed."

makes me think so even more.

Re:Unfortunately, what else is new?

[gregmark]

Randomizing UDP source ports does not solve the problem, it only makes it more difficult to impersonate the responding DNS server. Secure DNS makes this kind of impersonation impossible, or at least allows us to bask in the warm glow of impossible.

The DJB vs BIND thing is an illusion. Whatever everyone agrees is the best implementation should win and I doubt that Paul Vixie or anyone else at ISC thinks differently.

But it has become abundantly clear to me that DJB and his minions (of which I assume you are one) have failed to matter in most ways, not because of your ideas, but because of the brusque, immature manner in which those ideas are submitted for consideration, outside the standards committees which have served the Internet well for 30 years.

Re:Unfortunately, what else is new?

[MadMidnightBomber]

You broke my sarcasm meter.

Re:Unfortunately, what else is new?

[Lennie]

There is no real fix, other than changing than protocol in a backwards incompatible way. Port randomisation is a workaround and but it will give us some more years.

And that last part is just me guessing.

Re:Unfortunately, what else is new?

[Znork]

Secure DNS makes this kind of impersonation impossible

Mmm, no. It makes this kind of impersonation possible by anyone who can coerce/corrupt/control some part of the chain of trust.

outside the standards committees which have served the Internet well for 30 years.

Actually, on the topic of security and cryptography, I'd say the standards committees have failed the internet pretty badly. The apparent fixation with providing Verisign with revenue streams has gotten in the way of designing acceptable trust systems.

The only result that the fixation with certificates and authorities has gotten us is a situation wherein everyone is becoming their own authority and nobody cares about certificate warnings anymore.

If one wanted to repair the systematic damage by now, the best way would be to simply scrap the CA's out of browsers and anywhere else and just add a way to easily add specific CA's for each new domain/service provider one comes in contact with.

Re:Unfortunately, what else is new?

[nabsltd]

Secure DNS makes this kind of impersonation impossible

Mmm, no. It makes this kind of impersonation possible by anyone who can coerce/corrupt/control some part of the chain of trust.

I think a public/private key secured DNS would make it much harder to have this kind of impersonation work.

The biggest issue would be how would you securely get the public key for a particular domain. In other words, if Verisign (or somebody) signs the public key for example.com, then how do you get that signed public key so that when you get a signed DNS response from the example.com nameserver, you know it came from somebody who controls the private key for example.com.

The current SSL certificate infrastructure is pretty similar to what you would need, and it seems to work pretty well. There are ways to game it, and bad guys do get SSL certs, but overall it works.

But, a lot of the reason it works is because of the money. Most people that want SSL certs with a public CA want it because they are making money off that cert (Amazon, eBay, etc.). The vast majority of domains don't need SSL, but if secure DNS started rolling out, it wouldn't be long before you would be suspect if your domain didn't use it. Even at $10/year for current "no verify" SSL certificates, that would get to be pretty expensive "just for DNS". Probably the only way to really make it work would be for the DNS certificate to be included in the domain registration price.

Re:Unfortunately, what else is new?

[_Knots]

You're going down the path of DNSSEC, and, while I can't claim to be an expert, evidence suggests that this is a bad plan. DNSSEC started out as "oh, we'll just have the server sign all answers it gives out" (the "SIG+KEY" protocol of old).

Also, Verisign has _never_ shown themselves terribly competent at avoiding impersonation attacks -- they issued another SSL key for microsoft.com, FFS. We're supposed to hand them _more_ keys to the Internet?

Re:Unfortunately, what else is new?

[Znork]

but overall it works.

Actually, I'd say exactly the opposite. SSL is used only on a fraction of the net, and in many cases, for many uses, self-signed certificates are as trustworthy as the CA's. Overall, I'd say that's not working.

Imagine if you had to buy a cert for ssh; we'd still be using telnet...

a lot of the reason it works is because of the money

A lot of the reason it doesn't work is because of the money. The CA's maximize their profit by taking money and _not_ doing any checking. They have no financial incentive to do what they're supposed to do; they become untrustworthy by default.

Making money and being able to pay for a certificate isn't any foundation for trust either; scammers make money too...

For any system to work and get widely deployed it has to be built on end-to-end, without a third party, trust. Each site has to be in control of their own keys and not dependent on someone elses good will and business.

Re:Unfortunately, what else is new?

If I tune down my paranoia setting a notch, I can see your point.

His mention of "temporary workaround" might be referring to "until we manage to get DNSSEC in place," and not "to tide you over until we can release the real patch which will instantly be understood by all and lead to mass exploits within minutes"

I hope you're right!

Re:Unfortunately, what else is new?

[nabsltd]

Actually, I'd say exactly the opposite. SSL is used only on a fraction of the net, and in many cases, for many uses, self-signed certificates are as trustworthy as the CA's. Overall, I'd say that's not working.

SSL "doesn't work"? I guess I missed the articles on /. about Amazon, Google, eBay, PayPal, and every bank having issues with users not being able to connect to their secure servers, or with certificates showing up as not trusted, and the half-dozen impersonation attacks every week.

Like I said, there are definitely some problems that have happened, but overall the SSL certificate infrastructure is doing the job.

For any system to work and get widely deployed it has to be built on end-to-end, without a third party, trust. Each site has to be in control of their own keys and not dependent on someone elses good will and business.

How, exactly, do you purpose to do this with DNS? When you do a lookup on "example.com" for the first time, how do you check the signature if you don't have the public key? And, how do you get the public key in a trustworthy way without a third party?

Now, figure a way to make this scale so that it doesn't end up with IT administrators saying things like "Amazon, Google, and Microsoft are OK, but you can't view any other web pages because we don't have their DNS keys yet". Can you imagine if everyone who wanted to purchase at Amazon had to go to Seattle to pick up the Amazon SSL cert in person before they could create a secure, trusted connection? Because that's what would happen if Amazon used a self-signed cert and people wanted to be truly sure they were connecting to the real Amazon.

Part of the power of the Internet is that J. Random Blogger can put up some information on his personal domain that is exactly what you needed to know to get your install of Foobastic 2.4.12 to work with your hardware. Any secure DNS system that doesn't allow you to find that domain securely without any extra work on your part just isn't a viable solution.

Re:Unfortunately, what else is new?

[mibh]

The DJB vs BIND thing is an illusion. Whatever everyone agrees is the best implementation should win and I doubt that Paul Vixie or anyone else at ISC thinks differently.

I agree that any sense of competition between free stuff is illusury. There will be no winners other than the end users who benefit from greater availability and choice. Some people just plain like BIND, or Unbound, or PowerDNS, or DJB DNS, and I'll be happy if they get their wish -- to run what they like for reasons that make sense to them.

Re:Unfortunately, what else is new?

[mrsbrisby]

Randomize the source port. It's in the third paragraph.

Re:Unfortunately, what else is new?

[mrsbrisby]

Disclaimer. I'm the author of LDAPDNS.

Randomizing UDP source ports does not solve the problem, it only makes it more difficult to impersonate the responding DNS server.

Tens of thousands of times harder.

Secure DNS makes this kind of impersonation impossible, or at least allows us to bask in the warm glow of impossible

Unfortunately, Secure DNS doesn't exist. Nobody's quite sure what it looks like, or how it'll work because the things crytopgraphers is secure nobody wants to do because it makes ugly domain names, so we just sit here, shouting "Secure DNS" like that's going to make it show up sooner.

Listen, Paul's been crying for DNS-SEC for over a decade and yet there are still zero implementations. Even if there were a software stack, there's no credible authority- domain registrars don't check who they register to, and an email spoof can still steal nameserver configuration.

This isn't a technical problem, it's a social problem.

But it has become abundantly clear to me that DJB and his minions (of which I assume you are one) have failed to matter in most ways, not because of your ideas, but because of the brusque, immature manner in which those ideas are submitted for consideration, outside the standards committees which have served the Internet well for 30 years.

You don't get it, do you? Those thirty years are all about ego. DNS Forgery has been well understood for decades now, and Paul Vixie is only accepting a simple solution while dragging his heels because his very complicated idea didn't work.

The real problem is that Paul is a very smart man, so it's very easy for people like you to see that this is an argument between very smart people. However Paul is also a douchebag and an idiot because he's dragged you into defending his ego, for something that affects millions.

Re:Unfortunately, what else is new?

[mrsbrisby]

SSL isn't broken when users can't connect to their "secure servers". It's broken when SSL doesn't mean what the users think it means.

Users think SSL means their transaction/connection/information is safe. It might if CA's checked the information of their customers, and made sure they were responsible with data. But they don't. SSL has always been broken.

Re:Unfortunately, what else is new?

Interesting that you say "Secure DNS doesn't exist" and "...there are still zero implementations".

    http://www.aptld.org/taipeifebruary2008/20-dnssec_2008_APTLD.pdf

Re:Unfortunately, what else is new?

[mrsbrisby]

Referring to your own PDF:

Page 18: There are three competing implementations, all of which have problems.

Page 21: Deployment problems, clients not supporting; breaks access to sites. BIND bugs.

Also,

$ host -t ds se I.NS.se.
Using domain server:
Name: I.NS.se.
Address: 194.146.106.22#53
Aliases:

se has no DS record

means the security chain is already broken.

Finally, just because someone installed DNS-SEC doesn't mean that "Secure DNS" was deployed. If you can't tell the difference between the two, then you won't be able to have a meaningful conversation about this.

Re:Unfortunately, what else is new?

[mibh]

DNS Forgery has been well understood for decades now, and Paul Vixie is only accepting a simple solution while dragging his heels because his very complicated idea didn't work.

i'm accepting a solution because the cost:benefit of that solution is the best of all known alternatives in the nec'y timeframe. i'm also still pushing Secure DNS even though the quality of that technology and of the process which produced it makes me want to heave, because i'm aware of problems that don't occur at the transaction (hop by hop) layer, and i fully expect that next year dan will once again break the hop by hop layer in some way that we just won't have an easy fix for.

The real problem is that Paul is a very smart man, so it's very easy for people like you to see that this is an argument between very smart people. However Paul is also a douchebag and an idiot because he's dragged you into defending his ego, for something that affects millions.

say what you want about me, but don't call me a Secure DNS fanboy. it's all about cost:benefit across a long span of years.

Re:Unfortunately, what else is new?

[mrsbrisby]

don't call me a Secure DNS fanboy.

You'll note I didn't: I called you a very smart man.

However, I also call you a douchebag and an idiot. You and I both know that "Secure DNS" isn't the same thing as DNSSEC- one exists, the other does not. We also know that BIND's credibility rules are stupid.

But most importantly, we also know that a lot of the practical DNS forgery attacks in the past - nearly two decades- could have been mitigated and yet you have led people to believe there is good reason not to stop these attacks.

Re:Unfortunately, what else is new?

I called you a very smart man. However, I also call you a douchebag and an idiot.

It amazes me how rude people can be on the internet.

Re:Unfortunately, what else is new?

[mibh]

"Secure DNS" isn't the same thing as DNSSEC- one exists, the other does not.

Secure DNS includes TSIG, TKEY, and all revisions thus far to DNSSEC. So I'm not sure we're using the same dictionary.

We also know that BIND's credibility rules are stupid.

They exist to prevent cyclic glue reproduction, and were upgraded due to the Kashpureff attacks. They are not part of Secure DNS.

But most importantly, we also know that a lot of the practical DNS forgery attacks in the past - nearly two decades - could have been mitigated and yet you have led people to believe there is good reason not to stop these attacks.

UDP port randomization would not have stopped Kashpureff. Which attacks are you thinking of? I've led people to believe that if they deploy Secure DNS, including TSIG for their zone transfers, GSS-TSIG if they have the neccessary GSS infrastructure, RRSIG(0) if they have the necessary DNSSEC infrastructure, DNSSEC for their RDNS (making them into validators), and DNSSEC for their ADNS (meaning signing their zones and pressing their vendors to accept their DS RRs and sending their DLV RRs to ISC for inclusion in our DLV registry). None of which will help. Not today. But all of which will be necessary if we ever want to reach Secure DNS's tipping point.

As is often the case, I am not sure at this stage exactly what it is we're arguing about.

Re:Unfortunately, what else is new?

[Znork]

Amazon, Google, eBay, PayPal,

Like I said, a small fraction of sites. Had ssl 'worked' it would be deployed on close to every single site.

When you do a lookup on "example.com" for the first time, how do you check the signature if you don't have the public key?

The first time you connect to a site you have no business trusting it, anymore than the average person trusts people the first time they meet. Transfer the appropriate key then; trust is built over repeat interactions. For the purpose of building trust the interesting part is knowing it's the same entity as it was previously (something that third party CA's ruin, as a corrupt third party can put themselves (or anyone they choose) between you and the entity with which you've built your trust.

And, how do you get the public key in a trustworthy way without a third party?

How do you get it _with_ a third party? You assume the third party is trustworthy; how do you establish that? The ability to jump through hoops and pass an audit simply doesn't engender much trust.

There are ways; one is a web of trust/multi point trust structure. Designating multiple trust levels to multiple trust holders is one way. If several third parties have to verify it at least decreases the impact of compromised or subverted CA's.

With your Amazon example, that's a prefect case for first-meeting key distribution.

For other situations, such as banks, you'd most likely prefer to actually get the key from the bank via mail or on a smartcard.

Any secure DNS system that doesn't allow you to find that domain securely without any extra work on your part just isn't a viable solution.

And any secure DNS system that requires you to trust third parties simply isn't secure. So we get the current situation where DNSSEC just isn't a solution.

Re:Unfortunately, what else is new?

[mibh]

Had ssl 'worked' it would be deployed on close to every single site.

agreed.

any secure DNS system that requires you to trust third parties simply isn't secure. So we get the current situation where DNSSEC just isn't a solution.

the design calls for a path of trust that goes through a zone's parent (so, for slashdot.org, that's org) which made sense at the time since we're already trusting a zone's parent to hand us the right nameserver records (NS RRs) that bring the child into existence. so while this is a third party, it's not a new third party compared to normal DNS. are you sure this isn't secure?

your first-meeting trust distribution system sounds like what SSH uses, and it surely does work well for SSH. however, SSH isn't a lightweight datagram oriented protocol and i'm not sure that DNS can handle that much setup cost between trust-partners since there are millions of such for each RDNS and ADNS. the natural churn rate from key rollovers would probably be more traffic than all of DNS is today, which is a lot. since one of my hopes for Secure DNS is that it will someday obsolete X.509, i'd like it to have better scaling properties than X.509.

if i had to point to a weakness in the Secure DNS trust model it wouldn't be the existence of third parties, since as i said above there are no new third parties, just a new duty for the existing third parties (parent zone operators). noting that this new duty may strip the gears of many of the existing third parties, i would still say that the big weakness in the Secure DNS trust model isn't in the third party, but in the apex. the ultimate ancestor of all DNS zones is the "root zone", which is controlled by the U S Government through its contract with ICANN. we can't seem to get the root zone signed, but if we ever do get this, i feel uncomfortably certain that the U S Government will have key escrow.

while i wish we could do what PGP does, multiple paths of trust, each entity choosing whom to trust and how much to trust, each entity deciding for themselves which objects have enough trust coverage to be trustworthy... i was not able to sell that model inside the halls of the IETF, so we got trust-follows-delegation, with all its weaknesses, and without any way to get the root zone signed in any predictable or finite time. i find it darkly funny to be called a DNSSEC fanboy here whereas i'm seen inside IETF circles as a dangerous rabblerousing rebel on this topic. fun.

Re:Unfortunately, what else is new?

[mrsbrisby]

Secure DNS includes TSIG, TKEY, and all revisions thus far to DNSSEC. So I'm not sure we're using the same dictionary.

TSIG, TKEY, and all revisions thus far to DNSSEC don't make DNS secure.

They (credibility rules) exist to prevent cyclic glue reproduction, and were upgraded due to the Kashpureff attacks.

The credibility rules started showing up in 1992. Kashpureff's 1997 attack had nothing to do with it.

UDP port randomization would not have stopped Kashpureff.

No, but discarding the ADDITIONAL section would. It would be simpler, and cost very little.

... if we ever want to reach Secure DNS's tipping point.

The cost for such an infrastructure is very high, and it's not entirely clear it would be worth it. Most DNS attacks target bugs in the software, or defects in configuration. Increasing the complexity of both decreases DNS security.

As is often the case, I am not sure at this stage exactly what it is we're arguing about.

That's why I call you an idiot: You really don't know why anyone would hesitate to deploy "Secure DNS" because in your mind BIND is as good as they get- nameservers with fewer vulnerabilities "go against the spec" or provide fewer features- BIND provides the right balance.

The reality is that your users don't care: They want to read their email and visit their favorite websites. BIND is nothing more than a means to an end, and pretending otherwise is why you're a douchebag.

Besides, the attacks that DNSSEC and friends actually can protect against are very unrealistic simply because route filtering was easier to deploy.

What is Secure DNS

[maxinuruguay]

What is Secure DNS and where is the wikipedia article? Anybody?

Re:What is Secure DNS

"The Domain Name System Security Extensions (DNSSEC) are a suite of IETF specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers):

        * Origin authentication of DNS data.
        * Data integrity.
        * Authenticated denial of existence."

http://en.wikipedia.org/wiki/DNSSEC

Re:What is Secure DNS

Secure DNS is a protocol which uses cryptographic signatures on DNS records to prevent DNS spoofing and other unauthorized manipulations. It has some problems which are mostly a result of DNS being a UDP protocol, which, for performance reasons, can't have long handshakes or cryptographic calculations on the server side.

Re:What is Secure DNS

[_Knots]

Unfortunately, as Vixie admits, DNSSEC has intractable problems and is... well, let's be generous and say "pushed too quickly through the standards process". (See http://cr.yp.to./djbdns/forgery.html; in particular, Vixie's observation 'We are still doing basic research on what kind of data model will work for dns security. After three or four times of saying "NOW we've got it, THIS TIME for sure" there's finally some humility in the picture... "wonder if THIS'll work?" ...' [this was _after_ several DNSSEC RFCs were approved and intended to be implemented were shown to be utter crap.])

Encouraging people to use DNSSEC is just about as useful as encouraging people to use HOSTS.TXT. OK, I exaggerate a bit, but it's simply not going to solve the problem, is going to expose zones to arbitrary enumeration (remember, The Internet community discouraged answering AXFR requests from the Internet at large presumably for a reason), and is going to introduce much larger computational demands of DNS servers that implement it.

(Here's a thought: most of this forgery comes from my ability to guess your DNS cache / resolver's query port and request ID. Come IPv6, we could surely add 48+ bits of entropy to the process by having DNS servers listen on a prefix of addresses. Much simpler, if gross.)

Re:What is Secure DNS

[mibh]

The current Secure DNS spec has been implemented by multiple independent developers, and tested widely enough, that there is reason for calling it "good enough". And after 13 years of false starts, it's hard to call it "pushed out too soon", at least in its current form. Other than lack of political will to sign the root zone (see: ICANN and USG), Secure DNS is deployable.

If you want Kaminsky and others to keep coming up with new ways to pollute DNS caches every few years, then by all means treat Secure DNS as unnecessary or as unbelievably crappy or whatever. But for myself, I'd like to be solving different problems some day, and so, I urge everyone to deploy as much of Secure DNS as they can, and urge their vendors and service providers to do likewise. It will absolutely not help, and will hurt some, in the short term. But the effort can earn us all a better future.

Re:What is Secure DNS

[_Knots]

Please note that a lot of DNS exploits are still possible with DNSSEC, including Kaminsky's Suckets work -- it simply won't solve the DNS problems of the world. Moreover, the "problems" you're trying to solve with DNSSEC (e.g. yourbank.com getting redirected hostilly) can either still happen (oh, whoops, right, not all caches can mandate DNSSEC yet; applications can't tell whether getnodebyname() was done securely or not, and you should damn well be using TLS anyway). Further, DNSSEC has administrative problems (never _did_ solve that zone exposure problem, after 13 years, did they?) and dramatically increased server, cache, and resolver load. DNS aside, most phishing (which, be honest, is mostly why you're worried about DNS retargeting) is still served using compromised servers that don't claim to be the right one and don't present valid cryptographic tokens anyway! Clearly that problem is at a higher layer than DNS.

In addition to lack of political will, I view handing Verisign more money and ability to (*@#&*&@^#* up the network as something that should be an antigoal of the technical community.

And you're running around telling people to deploy this?

The point here is that you should be viewing hostnames as TOXIC WASTE that might be, occasionally, helpful, not as absolute truth given by Paul Vixie^W^Wgod himself. Failing to treat getnodebyname() and friends in this way is just setting yourself up for trouble.

"It will absolutely not help, and will hurt some" reflects admirably on the design and state of DNSSEC and, more largely, the IETF's ability to design transition plans of late.

Though I suppose it would have helped with that eroneously, mysteriously "still running" old GTLD root server. Clearly the people designing and running DNS know what they're doing. :)

Re:What is Secure DNS

[mibh]

it simply won't solve the DNS problems of the world

it would have prevented this attack, and amit klein's before that, and eugene kashpureff's back in the day. it would make BCP38 irrelevant to the DNS infrastructure. in other words it will solve a whole lot of problems that we actually know about and that we actually have. that you can cite a couple problems it would not solve is unsurprising and uninteresting from a risk:rewards point of view. that the API's aren't there yet for applications to become DNSSEC-aware is part of what i'm referring to when i say "deploy it locally and then beat on your vendors and providers to do likewise." be the chicken, or be the egg, but don't just complain from the sidelines -- that's already been done.

never _did_ solve that zone exposure problem, after 13 years, did they?

well, yes, we did. once the CCTLD's started taking DNSSEC seriously, they said "we can't do this if it allows zone-walking", which sadly meant that the protocol wasn't done after all, and has added yet another two years to the schedule. google for "NSEC3" to learn what's going on, and maybe do this level of fact checking before you come out here and tell everybody what's so.

I view handing Verisign more money and ability to (*@#&*&@^#* up the network as something that should be an antigoal

if you don't like verisign then you should move out of .COM and try something like .ORG whose registry (ISOC/PIR) has recently announced plans to deploy Secure DNS. (note that if you don't like verisign, then Secure DNS isn't the problem, .COM is the problem, and you should move.)

And you're running around telling people to deploy this?

well, yes, i am. but i am old enough to remember when people called ethernet a laboratory toy and said i was irresponsible for pushing it when token ring worked just fine. similarly, i was once yelled at for pushing TCP/IP when X.25 was good enough and OSI was clearly the future. no stranger to controversy am i. but if you want to gain the significant last-mover advantage of letting others try to make a market for Secure DNS, that's up to you. but maybe if you want to be neither chicken nor egg, you can also avoid complaining from the sidelines, eh?

not as absolute truth given by Paul Vixie^W^Wgod himself.

"If someone asks you whether you're a god, you say, YES." :-)

Re:What is Secure DNS

[_Knots]

I was unaware of NSEC3, having only looked at DNSSEC before its publication as an RFC in March. Thank you for bringing it to my attention; I retract my assertions that zone enumaration is a viable objection to DNSSEC.

AFAIK I understand the issues, EDNS having an extended ID field would also have solved, or made dramatically less likley at least, the injection attacks of late with a lot less effort. Am I mistaken in this understanding?

Do you have a pointer towards a design of a getnodebyname() replacement that indicates how it arrived at its data? I haven't seen one, but I admit to being shamed by ignorance of NSEC3.

Re:What is Secure DNS

[mibh]

EDNS having an extended ID field would also have solved

i don't think so, since EDNS is subject to downgrade attacks, it's not a good bearer for security-relevant information. i've also heard from some large internet portal companies that they have to ignore EDNS in a lot of queries since an EDNS response is often destroyed or dropped in the far-end firewall. this is fixable in the long run but it means we couldn't depend on EDNS for this fire drill even if it was resilient to downgrade attacks.

Do you have a pointer towards a design of a getnodebyname() replacement that indicates how it arrived at its data? I haven't seen one, but I admit to being shamed by ignorance of NSEC3.

i believe there is a firefox plugin that does this. IETF, in typical fashion, hasn't addressed the last-mile question of "how will applications become aware of this?" i think this should be done, so that glibc and BSD libc can just start offering this. at ISC we fear to tread on the API since folks will just accuse us of trying to take over the world (which is silly since we're already in charge, right?)

Small business setups NOT protected by the patch?

[jkbull]

From Paul Vixie's response: "Tom Cross of ISS-XForce correctly pointed out that if your recursive nameserver is behind most forms of NAT/PAT device, the patch won't do you any good since your port numbers will be rewritten on the way out, often using some pretty nonrandom looking substitute port numbers."

Does this mean that a typical small-business setup isn't protected by the patch?
 
For example, a server which provides recursive DNS and which connects to the Internet by a "cable" modem.

The truth comes out...

[slashname3]

Today at Black Hat the DNS exploit was explained and demonstrated in full. After getting 98% of the systems running DNS to apply an urgent patch it was disclosed that the patch was the hack. All patched DNS servers were then compromised during the Black Hat demonstration. This shows how a process can be used to introduce code that allows an outside entity full control of all systems on the network. During the demonstration Dan repeated his statement, "stop complaining, we've all got a lot of work to do by August 7 and it's a little silly to spend any time arguing when we need to be patching." Obviously he was refering to all the work he had to do to coordinate the largest take over of the Internet. A bot net of 100,000,000 systems was created in just a few minutes.

Re:The truth comes out...

[element-o.p.]

Do you write plot themes for Hollywood?

The problem with conspiracy theories is that everyone involved in the conspiracy must keep silent, or else the conspiracy will be outed. Most people have a lot of trouble doing that because let's face it -- our egos are just too big. Unfortunately (or fortunately, depending upon whether or not you're in on the secret), once anyone else knows, everyone else knows.

So yeah, that sounds like it would be a great exploit, but do you really think it is likely that anyone could convince everyone involved to be a part of such a conspiracy? Surely *someone* would have refused, and to date, the only person I know of who is even loosely connected with FOSS that has...ummm...disappeared...lately is the late Mrs. Reiser.

But okay, let's assume you're right. So, Dan Kaminsky and Paul Vixie and everyone else involved manage to do what you described despite the problems I mentioned. Has everybody patched? Yeah, they created quite a scare, but sys admins are a skeptical, paranoid bunch. Surely someone left an unpatched system or kept the source code for the unpatched versions of the major DNS servers hidden away somewhere -- even if only the FOSS versions. So if on August 7th, everything goes to ****, a bunch of people roll back to the old version. Yeah, the world's largest beowulf cluster of bots is still running, but the really paranoid guys are busy rolling back to unpatched DNS servers, and are working on patches for all the compromised systems. Assuming that Kaminsky, Vixie and co. aren't bludgeoned to death by a mob of angry sys admins, how long do you think it will be until it's business as usual again?

So, are we all compiling from source all the time?

[SlappyBastard]

All paranoid theories about this issue sort of ignore the fact that unless you plan to install hundreds (or even thousands) of systems from your own compiled source for years and years to come, all of this discussion is at best academic.

The new distros are going to have the patch.

And really, considering the number of prehistoric vulnerabilities that should have been patched, that this one is finally getting patched is fine.

Yeah, there's a bit of "trust me" factor here with this patch, but a lot of good people are putting their credibility on the line for this patch.

All of this whole FOSS thing entails a lot of trust. I mean, you're really telling me that everyone on here whining about the need to see the source code has read every line of code in every OS they're using? There is a level at which we're all sort of hoping that the guys interested in each of the particular parts of the OS have done a thorough job in their separate efforts.

Oops! I meant cable router, not cable modem

[jkbull]

Oops! I meant cable router, not cable modem

Re:Oops! I meant cable router, not cable modem

[larry+bagina]

It's a problem if your router uses NAT. Does your router use NAT? Is your DNS server behind the router?

Re:Oops! I meant cable router, not cable modem

[Rakarra]

My home router uses NAT. And sometimes I use my own DNS server to serve the home network and give that network a private TLD. Are those sorts of setups impacted now?

Re:Small business setups NOT protected by the patc

[totally+bogus+dude]

It depends on how the NAT device assigns port numbers to outgoing queries. Apparently the fix for this flaw is to ensure the source port for lookups is truly random; some devices may use very predictable sequences (such as our Cisco ASA at work, mutter mutter).

If you visit Dan Kaminsky's blog, there's a DNS checker in the right hand panel which allegedly tells you if you need to worry or not. It just looks to see if all your queries for their test domain name came from the same port number.

Re:Small business setups NOT protected by the patc

[socsoc]

Just another reason to make your local DNS forwarder use OpenDNS, or if you don't have one on your LAN, direct your router/workstations to OpenDNS. If your small-business LAN is relying on your provider's DNS, hopefully they patched it. Most worth their salt have, but OpenDNS also provides many features that are useful to small-business (in addition to not having been vulnerable to the flaw).

So its not the same flaw?

[BOFslime]

I'm having trouble with Paul Vixies' line:

Q: "This is the same attack as described way back in ."
A: No, it's not.

When Dan Kaminsky states in his blog.

"DJB was right. All those years ago, Dan J. Bernstein was right: Source Port Randomization should be standard on every name server in production use."
and
" 1) It's a bug in many platforms 2) It's the exact same bug in many platforms (design bugs, they are a pain) " How is this not the same flaw DJB described?

Re:So its not the same flaw?

[hal9000(jr)]

1) It's a bug in many platforms 2) It's the exact same bug in many platforms (design bugs, they are a pain) " How is this not the same flaw DJB described?

You are looking at two separate issues. The flaw Kaminsky found is apparently a newly discovered design flaw that makes DNS forging easy even with todays, unpatched DNS servers. In the advisory, they discussed previous problems with generating the transactionID to explain the problem and point out that what Dan found is not something already known (alot of people missed that very obvious point).

The second seperate, issue is UDP source port randomization. That is what Kaminsky was referring to DJB's solution. Kaminsky's assertion is that UDP source port is a good development practice which DJB incorporated into his DNS server.

Bear in mind that UDP source port generation doesn't solve the underlying problem, it simply makes blind DNS forging more difficult because now an attacker has to guess both a pseudo random transaction ID and a pseudo random UDP source port number. Alot of DNS servers and OS, simply picked source port numbers incrementally or in the case of a DNS server, re-used the some one over and over.

I don't know hom much more difficult DNS forging will be by randomizing the UDP source port numbers. The additional keyspace is (2^16-1023) and you can probably divide that in half again. But it's better then nothing and probably provides enough time (the time it would take an attacker to blindly guess the transactionID and UDP source port number) for the actual response to hit the DNS server. In DNS, the first response wins.

Re:So its not the same flaw?

[xrayspx]

DJB's source port randomization makes it much much harder to exploit the main bug, which is apparently a fundamental flaw in the DNS. We'll know on the 7th what that flaw is, but until DNSSEC or something similar is implemented, source port randomization will mitigate the risk until such time that the root cause is fixed.

Re:So its not the same flaw?

[Martin+Spamer]

Because a single flaw may be exploitable through multiple vectors of attack.

Though in this case source port randomization isn't the fix, it a stop gap that makes the flaw difficult to exploit in practice.

Re:So its not the same flaw?

[oneiros27]

Just because two problems have the same mitigation doesn't mean that they're the same problem.

You can take aspirin for a headache, or for a heart attack, but that doesn't mean that a headache is a heart attack or visa-versa. In some cases (I don't know the history, I never followed djbdns), you can have someone state a solution without a known attack -- 'This doesn't feel right, I don't think we should do it, but I can't say exactly why', and so we can get into a situation where there was no flaw for it to be the same as.

Re:So its not the same flaw?

[fatphil]

Remember that DJB and Vixie ain't exactly the DNS's super-best-friends: http://cr.yp.to/djbdns/notes.html#poison

Re:So its not the same flaw?

[kayditty]

That was probably the worst example of English grammar that I have ever seen.

Re:So its not the same flaw?

[mibh]

I've got nothing against DJB. And I expect that the URL in the parent points to pretty old information.

Re:So its not the same flaw?

[fatphil]

Yes, it's pretty old. However, the fight between them was going on for years, nearly half a decade. Even if it's over, I'm sure it's not forgotten by either party.

Re:So its not the same flaw?

Yes, it's pretty old. However, the fight between them was going on for years, nearly half a decade. Even if it's over, I'm sure it's not forgotten by either party.

You do realize that you are replying to Vixie, right?

DJBDNS

I don't find the patches. Am I in a risk ?

So...

[bigstrat2003]

Second, take Secure DNS seriously, even though there are intractable problems in its business and governance model -- deploy it locally and push on your vendors for the tools and services you need.

In other words, what he's saying is: "Take this new thing and deploy it, even though I admit it doesn't and can't work properly."

And this man doesn't see a problem with his logic? He must be certifiable.

Not so simple.

[pleappleappleap]

Only if you have a method for authenticating the other side of the phone conversation.

Re:Not so simple.

[Lennie]

And where you got the IP-address for the whois (hint it uses several hosts for different TLD/regions).

Re:Not so simple.

[skarphace]

Only if you have a method for authenticating the other side of the phone conversation.

Visit the website and get the phone number, of course!

Who is Paul Vixie?

I only take Bruce Schneier's word without peer review.

Re:So, are we all compiling from source all the ti

[TubeSteak]

All of this whole FOSS thing entails a lot of trust. I mean, you're really telling me that everyone on here whining about the need to see the source code has read every line of code in every OS they're using?

There's a specific phrase to describe it, but it escapes me at the moment.

Bascially, when you have a crowd of people standing around watching someone get beat up, nobody steps in to help, because everyone assumes someone else will help.

Verifying source code is somewhat like that: someone else will do it. The great thing about the internet is the crowd is so large that the few people, who would jump in no matter what, are always present.

It's all a liberal plot

[spun]

DNS cache poisoning is a myth cooked up by the liberal media and DNS scientists to implement their anti capitalist agenda.

And if it isn't a myth, then it certainly isn't man made, it's a natural phenomenon and there's nothing we can do about it.

Re:ATTENTION MODERATORS: MOD PARENT DOWN

[spun]

Uh oh, somebody call the whaaaaambulance, we're going to need to perform a humor transplant here!

A simple test to run

[GeorgeK]

In a comment to a question I posted for the CircleID article, Paul Vixie posted a nice and simple test that people can run to see how vulnerable they are:

dig porttest.dns-oarc.net in txt

FAIR or GOOD means you're ok, but POOR (which is the result I got) means you should be worried.

Re:A simple test to run

[brassman]

Very confused here... I get "POOR" at home behind a NAT router; okay, I understand that. I run the same test on a remote server on the backbone, which is running the latest bind9, patched this week, and it gives exactly the same "POOR" result.

What hoop are we supposed to jump through to get a "GOOD" result?

Re:A simple test to run

[Eunuchswear]

Install DJB's dnscache.

Re:A simple test to run

[jroysdon]

Many older named.conf configs have "query-source port 53;". While this is nice for firewalls to open up DNS traffic (assuming replies from source udp/53 to destination udp/53 (your query port) are always safe), it makes it easy to exploit.

This must be removed and those nameserver restarted. I had to do this with all of my servers, otherwise all queries come from the same port (53). Complain to your ISP if you find this to be the case with their DNS servers and in the meantime use some other DNS servers.

My two local Comcast resolves show "Poor" as the ports they use only have a standard deviation of 130-150, which I guess is assumed to be far too obvious and easy to keep bombarding.

Second, your NAT router may be de-randomizing your DNS queries if you run a resolver at home, and taking your random ports and putting them in order starting at 1024 (or something similar).

My own local/internal DNS servers shows as a std dev of 9 since my PAT router is de-randomizing the external ports. I'll be replacing my PAT router.

Third, your NAT router may be your DNS resolver and may not be using random source ports.

Re:A simple test to run

[illtud]

dig porttest.dns-oarc.net in txt

FAIR or GOOD means you're ok, but POOR (which is the result I got) means you should be worried.

Thanks for that. I've patched our RHEL5 BIND, but I still failed that test. I discovered that our legacy named.conf had carried a 'query-source' directive from ghod-knows-when and that just patching isn't always enough.

I found the issue from:

http://www.centos.org/modules/newbb/viewtopic.php?form=1&topic_id=15132&forum=37&order=ASC&start=0

Re:A simple test to run

[epine]

My stock OpenBSD 4.0 / BIND 9.3.2-P1 name server configuration passes with no modifications on my part. I got deviations from 16,000 to 20,000 across several hosts I tried within my network.

It seems to come with the territory that to write secure code, you have to offend people.

A) I disagree with you.
B) I think you're wrong.
C) That's broken.
D) That's broken, get lost.

If you chose A, you've probably never written a line of secure code.

Re:ATTENTION MODERATORS: MOD PARENT DOWN

[Goaway]

User ID 1352 trollin' it old skool!

Diffusion of Responsibility

[CrankyFool]

You're looking for Diffusion of Responsibility, made famous by the incident in which Kitty Genovese was murdered within earshot of a whole bunch of people, all of whom thought "damnit, someone should do something about this!"

Re:Small business setups NOT protected by the patc

"Just another reason to make your local DNS forwarder use OpenDNS, or if you don't have one on your LAN, direct your router/workstations to OpenDNS. If your small-business LAN is relying on your provider's DNS, hopefully they patched it. Most worth their salt have, but OpenDNS also provides many features that are useful to small-business (in addition to not having been vulnerable to the flaw)." - by socsoc (1116769) on Tuesday July 15, @09:34AM (#24194965)

You may have to "watch it" though, with ActiveDirectory (AD) networks (or, possibly OTHER directory services too, that are heavily dependent on DNS services)... E.G.-> Using OpenDNS &/or ScrubIT DNS servers!

For example:

Using external DNS servers can "mess up" FULL Outlook's connections to Microsoft Exchange Servers on an internal ActiveDirectory network!

(I've seen it happen, & even listing another INTERNAL one as the "secondary DNS server" didn't seem to help on a job I was @ last year/earlier this year - @ least not w/ out using some "extra layered work-arounds" like VPN's & such)...

----

It makes sense they would make things on an AD LAN/WAN funny, for some things @ least, & email's pretty important as one that gets messed up:

I mean - How on earth could an external-to-your-LAN/WAN DNS Server know about your internal & probably NON-ROUTABLE IP Address servers (static types - 10.x.x.x/172.x.x.x) or even DCHP assigned addy ones (192.168.x.x etc.) & their IP assignments?

From what I have seen? Hey - A third party external DNS server, by default, will not & screws up Exchange to Outlook, on an AD Lan/Wan.

APK

P.S.=> If you guys can show me a workaround for this one, though I am NOT in those conditions anymore (AD lan/wan)? Let us know... thanks! apk

Don't worry, Mr. Vixie

[93+Escort+Wagon]

Third, stop complaining, we've all got a lot of work to do by August 7 and it's a little silly to spend any time arguing when we need to be patching.

The patch is now in my crontab and set to run on the 6th.

OpenDNS too slow and caused problems (last year)

I tried to use OpenDNS about a year ago. Ran on it for about 3 weeks. Some of the things were nice (typos on URLs getting fixed, for example), but the overall experience with them as primary DNS was pretty pathetic. OpenDNS response times were awful, taking as long as 3 to 5 seconds to resolve some pretty normal/standard FQDNs (i.e. www.google.com, mail.google.com, bank sites, etc.). At first I thought I something was up with my system, until I traced it back to resolv.conf pointing to OpenDNS. Set things back to real DNS and lo and behold, all my problems over the previous three weeks went away.

I checked them again earlier this year. Exact same problems. This time I only ran on them for a part of a day, as I recognized the problems they were creating immediately.

So, I won't use nor recommend OpenDNS for anyone any longer. Especially in homes or small offices where they have minimal infrastructure. If I had more space, equipment, etc. I might have considered deploying a caching name server for my systems, which might have alleviated some of the problems with OpenDNS, but that was too much work with too little gain.

Re:So, are we all compiling from source all the ti

[dave562]

Verifying source code is somewhat like that: someone else will do it. The great thing about the internet is the crowd is so large that the few people, who would jump in no matter what, are always present.

Of course they are. They stopped ignoring their mom shouting down into the basement that it was dinner time a LONG time ago. ;)

Re:Small business setups NOT protected by the patc

[stderr_dk]

Wouldn't that make it easier for an attacker to exploit your local DNS?
You just told him, that his fake DNS-responses should appear to come from either 208.67.222.222 or 208.67.220.220.

Beware of ADSL router S-NAT on UDP ports.

[Swordfish]

I did the "dig" test on my patched DNS servers, and one of them failed.
Reason: It was connected to an ADSL router by a 192.168.1.0/24 subnet which was translated by port S-NAT to a narrow range of source UDP ports.

As a result, all of the fixing of the DNS servers was made useless.
It was only the "dig porttest.dns-oarc.net in txt" test which exposed this.

Not that you should really do:

dig @your.dns.server porttest.dns-oarc.net in txt

where your.dns.server is the local DNS server behind your ADSL router or firewall which you want to test. Otherwise you don't really know _which_ server you are testing.

So I reconfigured my ADSL modem and that is okay now.

However...
On another site, the above "dig" test shows that everything is GOOD. But that is an illusion. What happened is that when the "dig" command is pointed with "@" at the local port of the ADSL router, the ADSL router's built-in DNS server uses the ISP's two DNS resolvers, and the _ISP's_ servers are patched. But the ADSL modem DNS requester is using fixed UDP source ports.

I can't find any definite confirmation of this. But I think this scenario is just as vulnerable as the worst case, even though the "dig" test says GOOD.

Cheers,
Alan.

Re:Chuck Norris doesn't use DNS

[billstewart]

Chuck Norris doesn't type in IP addresses by hand. He just whistles the modem tones.

But doesn't he use broadband instead of dialup? When Chuck Norris whistles for a modem, it does what he wants real fast.

Why is Vixie recommending it?

[Grendel+Drago]

Unfortunately, as Vixie admits, DNSSEC has intractable problems [...]

So... why is Vixie recommending it? It's about as secure as using PGP without the web of trust, or using HTTPS without the PKI.

It would make sense if he didn't admit that there were intractable problems, and then told people to use it. Or if he said that there's really nothing you can do, and that the DNS vendors dropped the ball somethin' fierce by failing to secure the system in the decade since the problem was described.

But what is he even thinking?

Bah; enough dithering. It's time to cue the folks who're going to point out that djb is a big meanie, therefore nobody should rag on Vixie. Flying monkeys, away!

Re:Why is Vixie recommending it?

[_Knots]

If I have to guess, it's because Vixie is associated with ISC, who makes BIND, and is hoping that ISC makes more money with the "ZOMG, run DNSSEC or you're all doomed!". Of course, Vixie has never shown any kind of restraint over DNSSEC, and has previously urged adoption of (prior) broken editions of the protocol that somehow passed muster at the IETF despite not living up to their claims.

DJB may be a meanie, but he seems much more technically competent than Vixie. (I offer as evidence, again, the security records of vixie-cron and bind against djb's utilities, djbdjs, and qmail.) Also DJB seems much more intellectually honest and aware of what's going on. Of course, that's just MHO.

(For more lulz invoving DNS, and proof that it isn't, even with DNSSEC, a trustworthy protocol, see Kaminsky's "suckets" work. Using an adversary-controlled DNS server, it's possible to use the "same origin policy" (which is based on DNS being trustworthy) to achieve arbitrary connections. The correct conclusion is that your naming scheme and authority (DNS) ought not try to say anything about the security properties of the entities it names.)

Re:Why is Vixie recommending it?

[mibh]

ISC is a nonprofit, and our software is free. It's difficult to imagine how we'll cover more of our expenses if you all decide to start deploying Secure DNS. I have indeed urged adoption of prior editions of Secure DNS which is how we learned that the protocol and/or implementations of same still needed work. Am I doing that again? You betcha -- because we'll be fine tuning the Secure DNS protocol and its implementations, and the DNS protocol and its implementations, for the rest of the Internet's lifetime.

However, we're past the point of flag days in Secure DNS. A valid configuration today will remain valid in the future. And this time we're finally seeing investment by CCTLDs, and some interest from banks. But we're not going to convince ICANN and/or USG to take the risks and reach for these rewards unless there's a significant installed base. This makes Secure DNS a bit like IPv6 in that there's a significant last-mover advantage. That's why I'm singing this song on slashdot rather than businessweek. New stuff with rough edges and not a lot of immediate benefit has to come to the technical community to get born.

Re:Why is Vixie recommending it?

[mibh]

So... why is Vixie recommending it?

Because in life there are chickens and there are eggs. Note that Secure DNS is its own PKI, and its first and main reason for existing is to secure the DNS infrastructure, followed eventually by securing application data that's not safe enough in Classic DNS.

Re:Why is Vixie recommending it?

[_Knots]

Yes, sorry, my brain had glitched. The ISC is a nonprofit but was (is?) closely associated (http://cr.yp.to/djbdns/blurb/bindmoney.html) with the company I should have named, namely Nominum, the for-profit branch of Paul Vixie's life. I apoligize for the confusion.

Unrelatedly, if you're still worried that your protocols need work, it seems premature to promise that you won't flag-day the protocol again. You might certainly hope that you won't have to, which I admit is an admirable wish. Or is that to say that you aren't going to rev it if problems show up? Or that you'll leave DNSSEC running but go for a DNSSEC V2?

Forgive me if I still don't believe that DNSSEC brings any major advantage to the table and is diverting resources from the more correct view of the namespace and lulling us into a false sense of security.

Re:Why is Vixie recommending it?

[mibh]

Nominum, the for-profit branch of Paul Vixie's life.

you can't be serious. i resigned as chairman of nominum's board back in 2002 or so. i have no position there. they stopped working on BIND9 at about that same time. let the record show that i am grateful to nominum's then-shareholders for their significant donation of code and effort to BIND9 9.0.0, which went well beyond what ISC paid them for.

Or that you'll leave DNSSEC running but go for a DNSSEC V2?

it's an educated bet. the restarts to the Secure DNS protocol development effort over the last 13 years have been because we could not find a backward compatible way out of some mess we'd painted ourselves into. in that time EDNS has matured, providing a negotiation framework. in that time, NSEC3 was added, without invalidating any existing endpoint or implementation or data pattern. i really think we're going to be ok.

Forgive me

show me what you're investing your time and effort in that solves the same set of problems better, or solves the truer more underlying problems better, and we'll talk.

No result from dig?

From home, I get the expected "POOR" result from

dig porttest.dns-oarc.net in txt

At work, I don't get any answer back at all. I'm sure they have things configured in some broken way, can anyone provide a guess as to why I don't get any result at all?

Yeah, I'd just ask there, but it would take days to get back an answer of "please reboot and try again."

Re:So, are we all compiling from source all the ti

[jc42]

All of this whole FOSS thing entails a lot of trust. I mean, you're really telling me that everyone on here whining about the need to see the source code has read every line of code in every OS they're using?

No, but given the "number of eyes", it's usually not necessary that every person has read every line of code. If a set of N people have read the relevant code and understand it, that's often sufficient to solve a problem.

I ran across an example just a few days ago. The details aren't too important here; the critical point is that I and others were getting an error message didn't agree with what we could see clearly. A bit of detail: CUPS sometimes reports that a printer is permanently "busy", when you can tell by just looking at the printer that it's idle. I googled the message, several of the first hits were pointers to the source code, and the message was in a block that started:

if (error == ECONNREFUSED || error == EHOSTDOWN || error == EHOSTUNREACH) { ...}

The definitions of those error codes are easy to find, and none of them includes the concept of "busy". So the error message is bogus and misleading; the actual error was some sort of failure to connect to the IP address used. At this point, the search becomes tricky, because the error message doesn't report the actual error code. Someone needs to hunt down and understand all the places in the code where any three of those error codes is generated.

But note that an important part of the answer has been determined from just this code fragment: The error message is wrong. The printer isn't known by the software to be "busy". The actual problem is failure to get a TCP connection. And it's highly likely that various people in the collection of hackers will know what to do to diagnose all of the three possibilities. Without access to the source code, we would know none of this. We'd be blocked at the error message claiming that the printer is busy, and we'd have no further clues.

Also, since the code is "free" (as in freedom), there's a good chance that down the road we can replace the current bogus error message with something that does a better job of informing the user about the actual problem. Without the freedom to modify the source code, we'd be dependent on a vendor's good will. And, since this problem arises in trying to deal with equipment from a different vendor, chances are that the vendor would give it very low priority.

And look up RMS's story of how he started on the road to the "software freedom" concept. It was dealing with problems he was having with a printer that didn't play nice with his computer. This problem is still with us. All too often, such problems can't be solved without access to the source code. It's quite common to see error messages that don't include significant information. In this case, the actual error code wasn't reported, making diagnosis very difficult for novice and expert alike. With proprietary code, there's little that a user can do. With FOSS, we stand a chance of improving the error messages regardless of the level of interest of the vendor.

(But this was only a few days ago. That printer still isn't working with that one computer, but does work with a different computer in the same room. ;-)