Posted Oct 10, 2008 12:02 UTC (Fri) by copsewood (subscriber, #199)
Parent article: Partial disclosure
"Because of the addition of source port randomization as the fix, it didn't take very long for other security researchers to come up with the vulnerability."
I'm not convinced Kaminsky's partial disclosure was a bad thing for maintainers of minority DNS products who were not pre-informed in the initial secret disclosure limited to main DNS vendors. Once the details of the coordinated fix were released, the class of attack and fixes needed became obvious if not the specific vector. The knowledge of the class of attack should have made it possible to improve randomisation of source ports on minority DNS products. It's not as if Dan Bernstein hadn't forseen this class of attack years before in connection with the design of DJBDNS anyway. This product was no more vulnerable before this disclosure than the mainstream patched DNS products were afterwards. It may not have taken very long for the specific attack to have been discovered, but this should have been long enough to fix minority DNS products against the entire class of attack concerned, to the extent DNS as opposed to DNSSEC as a protocol and products implementing it can be fixed at all.
If Kaminsky had spilled the beans in public all at once, this would have given less time to patch DNS products against the entire class of attack. What would have been more likely is that maintainers would have had to come up with faster and narrower fixes which would have proved less durable than patches fixing the entire class of attack.
When to release what information about a devastating new specific attack is a hard problem, but I don't think Kaminsky did such a bad job compared to how some researchers might have chosen to handle the same knowledge. This is based on the objective of making it possible to keep the existing Net going somehow, rather than the objective of punishing every admin for not knowing everything that all security researchers taken together know at any given time. Some people commenting on this kind of issue seem to presume the latter objective to be reasonable but I don't.