LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The defect is being patched, the issue remains

The defect is being patched, the issue remains

Posted Jul 10, 2008 14:02 UTC (Thu) by copsewood (subscriber, #199)
In reply to: Issue by ncm
Parent article: Dan Kaminsky Discovers Fundamental Issue In DNS: Massive Multivendor Patch Released (Securosis.com) 

Dan Kaminsky didn't discover the basic problem with the design of DNS or implementations of
it. This was known about years ago, to the extent DJB was aware of it and worked around it to
make DJBDNS not vulnerable to the same extent other unpatched DNS implementations are.
Kaminsky appears to have discovered an attack which exploits the problem in a more devastating
manner than previously known possible.

The basic defect in DNS isn't solved by the current set of patches. DNS without DNSSEC, even
if further third party cache-poisoning exploits are not discovered, still depends upon trust
in a chain of middlemen DNS caching servers in order to communicate authoritative DNS
information from DNS content servers to clients. So the wider issue of insecurity inherent
within the design of DNS itself remains. The additional entropy provided by these patches
makes a class of technical attacks by outsiders more difficult, but this simply delays the
inevitable need to transition to DNSSEC at some point in the future.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds