User: Password:
|
|
Subscribe / Log in / New account

DNSCurve: an alternative to DNSSEC

DNSCurve: an alternative to DNSSEC

Posted Jul 9, 2009 14:00 UTC (Thu) by jake (editor, #205)
In reply to: DNSCurve: an alternative to DNSSEC by job
Parent article: DNSCurve: an alternative to DNSSEC

> To say that "most other DNS servers" needed patching is a bit of an
> overstatement, it was mostly (only?) BIND and its derivatives that did.

Hmm, if you are only talking about free software DNS servers, then maybe.
But there was the whole "coordinated vendor response" that patched numerous
vendor DNS implementations on the same day. Apple, Microsoft, Cisco, et al.
all patched their (presumably not all BIND-derived) DNS servers.

jake


(Log in to post comments)

DNSCurve: an alternative to DNSSEC

Posted Jul 17, 2009 22:50 UTC (Fri) by job (guest, #670) [Link]

As far as I know, they are. Apple ships BIND mostly as-is, Microsoft at least their 2000 product is clearly BIND 4-based, Cisco wouldn't surprise me if they too started out with it. It was more or less the reference code for DNS.

DNSCurve: an alternative to DNSSEC

Posted Jul 28, 2009 7:08 UTC (Tue) by Duncan (guest, #6647) [Link]

You're right here (AFAIK), which makes you effectively wrong above. BIND
/is/ the reference implementation. As such, a reasonably large segment of
the DNS server base is BIND based, and by percentage, it's even higher,
due to (as mentioned) MS, Apple, Cisco, probably other router/network
vendors such as Juniper, etc, all shipping reference implementation (aka
BIND) based code.

So yeah, including all the little shareware etc DNS implementations, plus
DJB's implementation, it's possible that the majority of implementations
numerically weren't affected (tho I'd doubt even that), but certainly, by
share, an overwhelming majority of users /were/ affected. And that's not
even counting all the stub resolvers, tho the exposure there was
effectively per-instance rather than per X-thousands. GLIBC, etc, all
that was affected, a good deal of the caching servers were affected, the
Linux based routers, most or all of them (including the non-glibc ones,
AFAIK) were affected, MS was affected there too, etc. So even those folks
depending on unaffected full resolvers were often at risk due to the stub
resolvers.

So a very large share of the Internet using public was affected at some
level, either from their full DNS server or at the stub-resolver (possibly
at multiple levels there too) level, with a good many affected at multiple
levels, initially.

This is why it was such a big deal. They say it's a big deal when you
actually know someone affected, but this was far larger than that, since
/most/ of the people /everyone/ knew, were affected at at least one level,
many at multiple levels. The SDC and WHO are predicting something like
30-40% swine flu coverage within two years if the vaccines don't stop it.
Luckily it's not fatal for most, just seriously uncomfortable for awhile,
and fatal for a few. (Some have theorized that's one of the reasons it's
pandemic, people aren't actually dying, and are apparently still
contagious a week after they're feeling better, thus allowing it to spread
much more efficiently while bumping down the urgency of guarding against
it.) That makes it a reasonable analogy for the Kaminsky DNS issue, but
bump those rates to 80-90% exposure, possibly more (I actually saw a
figure of 97% somewhere, again, considering all levels, so 80-90% may be
conservative), and that's what they were looking at. That's not just big,
it's apocalyptic in scale, so big that even a single percent kill rate is
a very large number of people!

DNSCurve: an alternative to DNSSEC

Posted Aug 4, 2009 10:38 UTC (Tue) by job (guest, #670) [Link]

It's all nitpicking of course. "Most servers" is easily misread as many different server software products and not many different installations. It could have been clearer, that's all.

DNS is a system where flaws, like caching logic, easily can affect different implementations so it's important if the problem is with BIND or the DNS protocol. The BIND monoculture is a bit troublesome too, but that's another issue (I've used both TinyDNS and NSD in production but they all have issues of their own).


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds