Slashdot Mirror
Kaminsky DNS Bug Claimed Fixed By 1-Character Patch
An anonymous reader writes "According to a thread on the bind-users mailing list, there is nothing inherent in the DNS protocol that would cause the massive vulnerability discussed at length here and elsewhere. As it turns out, it appears to be a simple off-by-one error in BIND, which favors new NS records over cached ones (even if the cached TTL is not yet expired). The patch changes this in favor of still-valid cached records, removing the attacker's ability to successfully poison the cache outside the small window of opportunity afforded by an expiring TTL, which is the way things used to be before the Kaminsky debacle. Source port randomization is nice, but removing the root cause of the attack's effectiveness is better."
Update: 08/29 20:11 GMT by KD : Dan Kaminsky sent this note: "What Gabriel suggests is interesting and was considered, but a) doesn't work and b) creates fatal reliability issues. I've responded in a post here."
Update: 08/29 20:11 GMT by KD : Dan Kaminsky sent this note: "What Gabriel suggests is interesting and was considered, but a) doesn't work and b) creates fatal reliability issues. I've responded in a post here."
Ok! Ok! I must have, I must have put a decimal point in the wrong place
or something. Shit. I always do that. I always mess up some mundane
detail.
(and I think for speak for everyone), this is how I feel about it:
!
meep
It's 570MB.
I'm so bored that I actually read the post in the mailing list and all the replies in the thread.
Just to be at the same time informative and to the point, the 7 replies so far have been as positive as this patch is in the linux kernel mailing list a few years ago.
(Source unknown)
A manufacturer had a problem with one of the older machines on their line. It shut down the line and held up production, costing many thousands of dollars in lost production. Since it was older equipment it was hard to find someone knowledgeable in repairing the machine, and nobody on-site knew what the problem could be. They found a technician with knowledge of the machine and hired him to come in and fix it.
When the technician arrived on site he listened to the client's description of the problem, examined the machine, opened a panel, and turned a single screw. He restarted the machine and it was back to full function. The line was up and running and the manufacturer was happy.
A week later the manufacturer received a bill for services: $1000. They called the technician and demanded an explanation - after all, they reasoned, he had only turned one screw to fix the problem. He agreed to re-bill, this time with itemized charges. The next bill contained two lines.
Turning the screw... $1
Knowing which screw to turn... $999
Why, oh why, didn't I take the Blue Pill?
Steve Jobs is alive and Slashdot isn't even covering it. This place blows.
Well, thanks to the Internet, I'm now bored with sex.
Ever since seeng this I don't trust that one character, Patch.
Slashdot Burying Stories About Slashdot Media Owned
Forget that. Shouldn't we have regular updates on whether or not Charles Babbage is still dead? He's the father of computing itself, for fuck's sake!
Maybe we should have a Charles Babbage status page a bit like this one:
Abe Vigoda