Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kaminsky Bug Options Include "Do Nothing," Says IETF

Posted by timothy on from the doing-stuff-is-overrated dept.

netbuzz writes "Meeting in Minneapolis this week, the Internet engineering community is debating whether to aggressively fashion and apply fixes for the so-called Kaminsky bug in the DNS discovered this summer, or to simply let its threat stand as motivation for all to move with greater speed toward DNSSEC, which is considered the best long-term security solution. Problem with the latter approach is that DNSSEC has been in the works for a decade already, no one is confident it will be universally embraced, and the Kaminsky flaw is causing real problems today.

18 of 134 comments (clear)

  1. DNS by Anonymous Coward · · Score: 5, Funny

    TMBG37 GOES TO THE MARKET
            -or-
    DNS for fucking idiots.
    (NONE LIKE IT HOT!)
     
    1. TMBG37 tries to go to www.dildomall.com with his browsar.
            a. His local machine checks if he's been there recently
              and if it remembers the IP address.
            b. Let's assume (big assumption people), that TMBG37
              hasn't been buying any rubbery cocks of late (ha!),
              his computar connects to its local nameserver.
                    --> HELO MISTAR NAMESERVAR
                    <-- Oh fuck it's you :(
                    --> WHERE DO I BUY DILDOES?
                    <-- Shit kid I don't even want involved with that.
                    --> GIVE ME ADDRESS FOR www.dildomall.com!!!!!
                    <-- Fuck you. But fine, its nameserver is
                        ns1.bunghole.org, which is 69.69.69.69.
                    --> THANK YOU SIR
            c. His computer goes on to pester ns1.bunghole.org, via
              its IP address, which it got from the local nameserver.
                    --> OMG R U ns1.bunghole.org?
                    <-- Oh christ, I've heard about you :(
                    --> OMG PLZ WHAT IS www.dildomall.com !!!!?
                    <-- Leave me alone.
                    --> PLXX?????
                    <-- It's 37.37.37.37
                    --> OMG HHLUAHGLAUHGALUHGUH *SUCKING DICK*
    2. TMBG37 goes on to happily penetrate his anus with a dildo
      bought from www.dildomall.com, with the IP address 37.37.37.37.
      There are HTTP/1.1 issues involved here if it is using virtual
      hosting, but that's NEITHER HERE NOR THERE.

    1. Re:DNS by pleappleappleap · · Score: 5, Funny

      To know recursion, you must first know recursion.

    2. Re:DNS by Spazmania · · Score: 4, Funny

      You keep that up, I might just blow my stack.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  2. Re:So what powers does the IETF have on this? by JCSoRocks · · Score: 4, Interesting

    On top of that, recommending DNSSEC is starting to sound like recommending that everyone start playing Duke Nukem Forever.

    No one likes patching sinking ships but it's better than nothing. Doing nothing and waiting for DNSSEC are nearly the same thing.

    --
    You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
  3. Re:How many legs does the Kaminsky bug have? by cstdenis · · Score: 5, Funny

    It's a space station. You don't need a vacuum cleaner. Just open a window.

    --
    1984 was not supposed to be an instruction manual.
  4. Old news? by Bearhouse · · Score: 3, Informative

    As often, Ars Technica has had this for a while.

    http://arstechnica.com/news.ars/post/20080726-new-dns-exploit-now-in-the-wild-and-having-a-blast.html

    I quote:

    "This would be less of an issue if the widely released patch from two weeks ago had been fully deployed"

    And:

    Moving to the more DNSSEC system would have solved this problem, and that idea was apparently floated, but it was dismissed on account of the tremendous overhead required by this protocol. The patch that currently exists is not a foolproof solution, but it minimizes the chances that the attack will succeed. "The exploit is now tens of thousands of times harder, but still possible," Kaminsky stated during his Black Hat webcast. "one in several hundred million to one in a couple billion."

    Yawn.

  5. Stupid, stupid, stupid! by Opportunist · · Score: 4, Insightful

    Now, when, and I mean EVER, has a security hole meant that people switch to a new platform? Or when has a severe security hole EVER caused people to even consider moving?

    Windows has its leaks. But people keep using it. Why? Because they don't care, don't know or because "hey, what are the odds that it happens to me?". SMTP and POP have flaws, spam is running rampart because of it, and we switch to securer ways of mailing that can verify the sender... not! IPv4 has security problems and we're not even seriously considering switching to something more secure.

    People will NOT switch to something else just because of a security problem. Because the people who could enforce it simply don't care. ISPs? ISPs don't even care about trojans running rampart in their network. Most don't even bother trying to block Sasser from spreading. The governments? Spare me that, currently I'd rather expect them to use the flaw themselves for better surveillance of their subjects.

    Fix that damn bug! Nobody will move to a better platform just because of a "mere" security problem.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Stupid, stupid, stupid! by Opportunist · · Score: 3, Informative

      No, DNSSEC would fix the bug. IF, and only IF, everyone used it. Actually the fact that DNSSEC accepts insecure DNS requests makes this approach flawed.

      It's not a technical problem. It's an economic one.

      Switching to DNSSEC means additional costs for ISPs. Additional time for server admins, additional hassle to get the verifications, signatures and certs. In one word, expense. Expense without revenue.

      Now, old school, insecure DNS works. The customer doesn't see a difference (most of all, he doesn't understand why DNSSEC would be a good idea, if he heard about it at all). Security has never been a selling point for ISPs. Price is. The customer won't request secure DNS and for almost every potential customer of an ISP the question whether a provider uses secure or insecure DNS is not going to influence his decision which one to take. If he has a choice at all, that is.

      I do agree that switching to DNSSEC would be a damn good idea. But you, me, some others on /. and a handful more understand the implications. That's not even a percent of a potential customer base for an ISP. So it doesn't matter.

      As long as there is no meaningful pressure on ISPs to adopt DNSSEC, they won't do it. And by meaningful, I mean someone or something requiring you to come from a provider address using DNSSEC to do business with you (banks come to mind). But since they again don't want to lose customers (due to requiring it while some other bank/business doesn't), they won't press for it either.

      If you want to force people to use DNSSEC, you have an ally in me. But you will not convince a sizable portion of the users, or even ISPs, just by keeping the alternative insecure. They won't care.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. sensationalist nonsense - use 0x20 now! by leto · · Score: 4, Interesting

    Stupid sensationalism.

    You can right now use draft-vixie-dnsex-dns0x20 to protect against the kaminsky bug. This option is already available in the unbound nameserver.

    Talking about totally talking out of context. Fools!

    If IETF does something to mitigate, the unbelievers scream "see we dont need dnssec"

    If IETF does not do something, the unbelievers scream "you're blackmailing us into dnssec"

    Stop whining and put your foot where your mouth is.

  7. Misreported by Spazmania · · Score: 5, Informative

    I was in the meeting. As I recall, one gentleman, I'll repeat that, one gentleman from the audience of a few hundred got up and expressed the opinion that we should do nothing so as to spur DNSSEC deployment.

    There was rather more consensus for the view that we should avoid making quick hacks that might obstruct DNSSEC deployment since DNSSEC is currently the only approach on the table that we're reasonably sure ends the problem.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  8. Re:So what powers does the IETF have on this? by Zero__Kelvin · · Score: 3, Informative
    From the Wiki article you link to:

    It is widely believed that deploying DNSSEC is critically important for securing the Internet as a whole, but deployment has been hampered by the difficulty of:

    1. Devising a backward-compatible standard that can scale to the size of the Internet
    2. Preventing "zone enumeration" (see below) where desired
    3. Deploying DNSSEC implementations across a wide variety of DNS servers and resolvers (clients)
    4. Disagreement among key players over who should own the .com (etc) root keys
    5. Overcoming the perceived complexity of DNSSEC and DNSSEC deployment

    Some of these problems are in the process of being resolved, and deployments in various domains have begun to take place.

    I guess we have different definitions of "exists", unless you mean it exists as a list of as yet unsolved problems.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  9. Re:How many legs does the Kaminsky bug have? by lgw · · Score: 3, Funny

    It's a space station. You don't need a vacuum cleaner. Just open a window.

    No way! That would make a vacuum dirtier!

    --
    Socialism: a lie told by totalitarians and believed by fools.
  10. Re:Minneapolis? by Al+Dimond · · Score: 3, Funny

    I don't know much about this sort of thing, but I bet it's relatively cheap to book in cold-weather cities in the winter.

    As a side benefit, it annoys Californians. Win all around.

  11. Re:So what powers does the IETF have on this? by lysergic.acid · · Score: 3, Informative

    you need to work on your reading comprehension skills.

    DNSSEC exists plain and simple. it's already been deployed for a lot of domains and root nameservers. just because there are difficulties hampering its widespread adoption doesn't mean it doesn't exist. that's like saying IPv6 doesn't exist because it's still suffering from a lack of widespread adoption.

    none of the factors preventing more widespread deployment are problems that need "solving." in fact, they're more social/political problems than they are technical problems. so the "solution" to these problems is simply to persuade/pressure/coerce DNS servers to adopt DNSSEC, which is what IETF is debating about.

    1. backward-compatibility may be difficult to maintain, but this is a transitional problem, and it's not a real technical barrier to adoption at this point. BIND 9.3 (several older versions are compatible as well) officially supports DNSSEC, so does NSD, and Nominum's ANS and CNS. the fact of the matter is, there are tons of domains already using DNSSEC without issue.
    2. the zone enumeration issue has already been solved with NSEC3 (RFC 5155) released in March--which you'd already know if you'd read the rest of that Wiki article.
    3. this is a logistical problem that every new technology/protocol/standard faces. the main issue here is the last-mover advantage. nobody wants to be the first to adopt a new standard when there's no financial incentive to do so. but somebody has to go first. and at this point there is already a wide variety of software, prototype systems & tools available for implementing DNSSEC with little to no risk involved.
    4. this is purely a political issue, and it has more to do with the U.S.'s monopolistic control over the DNS system than DNSSEC. perhaps if ICANN acted more impartially instead of getting in bed with Verisign and other commercial corporations we wouldn't have political BS hindering technological progress. in any case, this is an ICANN problem and could be solved by organizational reforms to make ICANN operate with more transparency and give other nations a voice in domain name management.
    5. the perception of DNSSEC being too complex or difficult to adopt is just that--a problem with public perception. IETF is working on resolving this problem through education and training, which are on their deployment road map. there's a lot of good free resources out there to help ease others through this transitions and dispel false perceptions.
  12. Re:Minneapolis? by Spazmania · · Score: 3, Interesting

    Minneapolis has a "Skyway." Basically, many of he buildings downtown are connected via heated walkways between the second floors. These second floors form literally miles and miles of indoor pedestrian mall. The Hilton where the conference is held is connected to it.

    So basically you can go everywhere without having to ever go outdoors. And we have a gig-e Internet link for the duration of the conference. Its computer geek heaven.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  13. Re:Minneapolis? by mellon · · Score: 3, Interesting

    Eh, the whole downtown is covered in habitrails, so you can walk from building to building in short sleeves, because you don't ever have to go outside. It's kind of like living on a really big space station, only with gravity.

    It was kind of cold in my hotel room, though.

  14. Re:sounds familiar by mellon · · Score: 3, Funny

    Trust me, there's very little need for Trojans at a typical IETF meeting.

  15. Emphasis on *amateur* by jonaskoelker · · Score: 3, Interesting

    Even an amateur cryptographer would tell you that the more you know about the message, the easier it is to break it.

    And a professional cryptographer would tell you to use a signature scheme that is provably secure (under standard cryptographic assumptions) against known plaintext signature forgery, and use a key big enough to satisfy you. Heck, you do all the crypto off-line, so you can pick a big one.

    Confidentiality protections reduce the amount of knowledge, and thus protect against attacks that are yet unknown.

    Prove the security of your signature scheme in the Universal Composability model and it's secure against all attacks, known and unknown.

    I don't think you know what you're talking about.

    Oh the iro... No, actually, you _do_ know what you're talking about: amateur cryptography.

    DNSCurve protects against denial of service attacks [link]

    So to back up your claim, you post a link to someone making the same claim. Now I'm convinced...

    It requires far less compute-power than DNSSEC.

    Yes, but it requires it on-line. It also requires caching keys for your clients unless you want to double your in- and outbound packet load.

    Read the page about DNSCurve. It says "DNSCurve and DNSSEC have complementary security goals. If both were widely deployed then each one would provide some security that the other does not provide."

    They're, taken at the word, not meant to replace each other.