Joe Baptista wrote, On 31/12/09 17:20:
This is a false allegation that the press has repeated without any investigation of the facts. Kaminisky never discovered anything he simply repackaged an existing well known problem as his own. Also the DNS protocol is not vulnerable in itself nor is it a security risk. The security problem is not in the DNS protocol but in the transport protocol used for DNS transactions. In this case it is the UDP protocol that is vulnerable to attack.
This problem has existed for at least 15 years. I remember it existed in the 1990's when I was commissioned to investigate vulnerabilities in military DNS servers.
That's interesting. Any pointers to the to the study you released at the time, that may justify your claim that you discovered the vulnerability 14 year before Kaminsky ?
A solution to this problem is available and was developed a few years ago by Dr. Bernstein at the University of Illinois at Chicago. It's called DNSCurve
DNSSEC and DNSCurve address different problems. Read for example this post on from the NANOG list which tries to summarize the differences. http://mailman.nanog.org/pipermail/nanog/2009-August/012474.html The author is is no way linked to DJB, so I guess there is more objectivity in this post than is Dan Berstein's advocacy. Patrick