It is generally not made clear that problems are only to be expected for those users behind DNS resolvers that ask 'DNSSEC OK=1' questions by default.
Such 'do=1' default behaviour was enabled in BIND, most likely in an effort to 'make the world safe for DNSSEC'. Even though no further DNSSEC processing is performed by default.
Other implementations, like PowerDNS & DJBDNS, do not wantonly ask 'DNSSEC OK=1' questions. This means that for these (and other) resolvers, on May 5th nothing will happen.
The 'testing' sites linked do not clarify if you are behind a resolver that asks 'do=0' or 'do=1' questions, and may thus lead to needless worry.
I'd love to know more about how PowerDNS could be spoofed more easily - I'd love to fix it. Since Kaminsky, nothing has changed within the PowerDNS Recursor, so anything you've discovered is still relevant!
Nothing too serious, probably a prank from some bored employees at the time. We asked some of the Nominum people what they were up to, since we'd been receiving packets that caused PowerDNS to crash from Nominum IP space.
I seem to recall one of their (ex-)employees eventually even told us which bug they had been triggering.
I don't for a moment believe this was a Nominum-sanctioned activity.
But this is all way back in the mists of time, the beginning of 2002.
lo0.ar5.enschede1.surf.net 3613: Nov 20 07:20:50.927 UTC: %ENV_MON-2-TEMP: Hotpoint temp sensor(slot 18) temperature has reached WARNING level at 61(C)
few seconds later on the local side: lo0.cr2.amsterdam2.surf.net 1146: Nov 20 07:20:56.458 UTC: %CLNS-5-ADJCHANGE: ISIS: Adjacency to ar5.enschede1 (POS2/0) Down, interface deleted(non-iih)
> WL: Not a lot, though sometimes one steals ideas.
> Linux, for instance, stole part of the BSD
> networking stack. [Pauses.] All of it.
Doesn't it strike you as odd that the BSD people have been touting the superiority of their networking stack for years, and now that it has become clear that Linux stack cleans up everything out there (see the specweb99 results), they change their opinion and suddenly it is 'stolen from BSD'?
Actually, he is right. Einstein for example did not study physics, he studied mathematics. There was no such thing as physics back then. Feynman mentions this in his books as well, that only during the war the term 'physicist' had started to mean something.
Do you believe in literate programming? The Linux kernel has just started to include DocBook comments and scripts to build documentation.
It seems to be a bit like snake oil in that it is supposed to solve all our problems, and as a programmer (==born optimist), I tend to believe this.
I am not sure however if this is the way to go. A friend of mine works at a company that has dedicated documentalists which continously bother programmers with questions on what they are doing.
Slashdot Mirror
It is generally not made clear that problems are only to be expected for those users behind DNS resolvers that ask 'DNSSEC OK=1' questions by default.
Such 'do=1' default behaviour was enabled in BIND, most likely in an effort to 'make the world safe for DNSSEC'. Even though no further DNSSEC processing is performed by default.
Other implementations, like PowerDNS & DJBDNS, do not wantonly ask 'DNSSEC OK=1' questions. This means that for these (and other) resolvers, on May 5th nothing will happen.
The 'testing' sites linked do not clarify if you are behind a resolver that asks 'do=0' or 'do=1' questions, and may thus lead to needless worry.
Cheers,
Bert - PowerDNS.
Paul,
I'd love to know more about how PowerDNS could be spoofed more easily - I'd love to fix it. Since Kaminsky, nothing has changed within the PowerDNS Recursor, so anything you've discovered is still relevant!
Bert
Nothing too serious, probably a prank from some bored employees at the time. We asked some of the Nominum people what they were up to, since we'd been receiving packets that caused PowerDNS to crash from Nominum IP space.
I seem to recall one of their (ex-)employees eventually even told us which bug they had been triggering.
I don't for a moment believe this was a Nominum-sanctioned activity.
But this is all way back in the mists of time, the beginning of 2002.
Bert
(PowerDNS)
Some time ago I wrote site about DNA as seen through the eyes of a coder, which dovetails nicely with this article.
:-)
Highly recommended
bert.
lo0.ar5.enschede1.surf.net 3613: Nov 20 07:20:50.927 UTC: %ENV_MON-2-TEMP: Hotpoint temp sensor(slot 18) temperature has reached WARNING level at 61(C)
few seconds later on the local side:
lo0.cr2.amsterdam2.surf.net 1146: Nov 20 07:20:56.458 UTC: %CLNS-5-ADJCHANGE: ISIS: Adjacency to ar5.enschede1 (POS2/0) Down, interface deleted(non-iih)
> WL: Not a lot, though sometimes one steals ideas.
> Linux, for instance, stole part of the BSD
> networking stack. [Pauses.] All of it.
Doesn't it strike you as odd that the BSD people have been touting the superiority of their networking stack for years, and now that it has become clear that Linux stack cleans up everything out there (see the specweb99 results), they change their opinion and suddenly it is 'stolen from BSD'?
It is only recently that we realise the distance between mathematics and physics, see for example Bertrand Russell's 'On the unreasonable effectiveness of mathematics in the natural sciences'
This is a known issue, with a known solution and people are working on it. It is on Alans 2.4 Jobs List
We created some Wonderful 2.4 HOWTOs:
Linux Volume Management - or 'How do I grow my filesystem by buying more disks'
Linux Advanced Routing and Traffic Shaping or 'How do I run my internet exchange with nothing but Linux and keep bandwidt for myself
Deb,
Do you believe in literate programming? The Linux kernel has just started to include DocBook comments and scripts to build documentation.
It seems to be a bit like snake oil in that it is supposed to solve all our problems, and as a programmer (==born optimist), I tend to believe this.
I am not sure however if this is the way to go. A friend of mine works at a company that has dedicated documentalists which continously bother
programmers with questions on what they are doing.
What are your thoughts?