Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kaminsky Bug Options Include "Do Nothing," Says IETF

Posted by timothy on from the doing-stuff-is-overrated dept.

netbuzz writes "Meeting in Minneapolis this week, the Internet engineering community is debating whether to aggressively fashion and apply fixes for the so-called Kaminsky bug in the DNS discovered this summer, or to simply let its threat stand as motivation for all to move with greater speed toward DNSSEC, which is considered the best long-term security solution. Problem with the latter approach is that DNSSEC has been in the works for a decade already, no one is confident it will be universally embraced, and the Kaminsky flaw is causing real problems today.

8 of 134 comments (clear)

  1. DNS by Anonymous Coward · · Score: 5, Funny

    TMBG37 GOES TO THE MARKET
            -or-
    DNS for fucking idiots.
    (NONE LIKE IT HOT!)
     
    1. TMBG37 tries to go to www.dildomall.com with his browsar.
            a. His local machine checks if he's been there recently
              and if it remembers the IP address.
            b. Let's assume (big assumption people), that TMBG37
              hasn't been buying any rubbery cocks of late (ha!),
              his computar connects to its local nameserver.
                    --> HELO MISTAR NAMESERVAR
                    <-- Oh fuck it's you :(
                    --> WHERE DO I BUY DILDOES?
                    <-- Shit kid I don't even want involved with that.
                    --> GIVE ME ADDRESS FOR www.dildomall.com!!!!!
                    <-- Fuck you. But fine, its nameserver is
                        ns1.bunghole.org, which is 69.69.69.69.
                    --> THANK YOU SIR
            c. His computer goes on to pester ns1.bunghole.org, via
              its IP address, which it got from the local nameserver.
                    --> OMG R U ns1.bunghole.org?
                    <-- Oh christ, I've heard about you :(
                    --> OMG PLZ WHAT IS www.dildomall.com !!!!?
                    <-- Leave me alone.
                    --> PLXX?????
                    <-- It's 37.37.37.37
                    --> OMG HHLUAHGLAUHGALUHGUH *SUCKING DICK*
    2. TMBG37 goes on to happily penetrate his anus with a dildo
      bought from www.dildomall.com, with the IP address 37.37.37.37.
      There are HTTP/1.1 issues involved here if it is using virtual
      hosting, but that's NEITHER HERE NOR THERE.

    1. Re:DNS by pleappleappleap · · Score: 5, Funny

      To know recursion, you must first know recursion.

    2. Re:DNS by Spazmania · · Score: 4, Funny

      You keep that up, I might just blow my stack.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  2. Re:So what powers does the IETF have on this? by JCSoRocks · · Score: 4, Interesting

    On top of that, recommending DNSSEC is starting to sound like recommending that everyone start playing Duke Nukem Forever.

    No one likes patching sinking ships but it's better than nothing. Doing nothing and waiting for DNSSEC are nearly the same thing.

    --
    You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
  3. Re:How many legs does the Kaminsky bug have? by cstdenis · · Score: 5, Funny

    It's a space station. You don't need a vacuum cleaner. Just open a window.

    --
    1984 was not supposed to be an instruction manual.
  4. Stupid, stupid, stupid! by Opportunist · · Score: 4, Insightful

    Now, when, and I mean EVER, has a security hole meant that people switch to a new platform? Or when has a severe security hole EVER caused people to even consider moving?

    Windows has its leaks. But people keep using it. Why? Because they don't care, don't know or because "hey, what are the odds that it happens to me?". SMTP and POP have flaws, spam is running rampart because of it, and we switch to securer ways of mailing that can verify the sender... not! IPv4 has security problems and we're not even seriously considering switching to something more secure.

    People will NOT switch to something else just because of a security problem. Because the people who could enforce it simply don't care. ISPs? ISPs don't even care about trojans running rampart in their network. Most don't even bother trying to block Sasser from spreading. The governments? Spare me that, currently I'd rather expect them to use the flaw themselves for better surveillance of their subjects.

    Fix that damn bug! Nobody will move to a better platform just because of a "mere" security problem.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. sensationalist nonsense - use 0x20 now! by leto · · Score: 4, Interesting

    Stupid sensationalism.

    You can right now use draft-vixie-dnsex-dns0x20 to protect against the kaminsky bug. This option is already available in the unbound nameserver.

    Talking about totally talking out of context. Fools!

    If IETF does something to mitigate, the unbelievers scream "see we dont need dnssec"

    If IETF does not do something, the unbelievers scream "you're blackmailing us into dnssec"

    Stop whining and put your foot where your mouth is.

  6. Misreported by Spazmania · · Score: 5, Informative

    I was in the meeting. As I recall, one gentleman, I'll repeat that, one gentleman from the audience of a few hundred got up and expressed the opinion that we should do nothing so as to spur DNSSEC deployment.

    There was rather more consensus for the view that we should avoid making quick hacks that might obstruct DNSSEC deployment since DNSSEC is currently the only approach on the table that we're reasonably sure ends the problem.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.