George and all, Well yes this is a move in the right direction. But it is far too little and perhaps far too late as we have seen with Apple. See: See: (August 1, 2008) Apple released a patch for the recently disclosed and exploited DNS vulnerability, but while it fixes Mac OS X systems used as DNS servers, it does not protect Macs being used as client systems. Fully patched versions of both Tiger (version 10.4.11) and Leopard (version 10.5.4) do not adequately randomize DNS source ports. Apple released Security Update 2008-005 on Thursday, July 31 to address 17 flaws in its OS X operating system. - From Internet Storm Center: http://isc.sans.org/diary.html?storyid=4810 A quick packet dump of my fully patched Leopard machine (OS X 10.5.4) shows it is - as a DNS client - still using incrementing ports. http://www.theregister.co.uk/2008/08/01/osx_still_vulnerable/print.html http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID... http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti... Secondly, it wasn't Dan k. that origanally made note of this and many other DNS security holes that can expose users to serious danger. That was done back in 2001 on the old DNSO GA mailing list. George Kirikos wrote:
Hello,
Just to followup, ICANN sent out a news release earlier:
http://www.icann.org/en/announcements/announcement-06aug08-en.htm
It's a step in the right direction, to help educate folks. However, there's no true "fix", as the protocol itself is broken. A move towards DNSSEC or other secure DNS would be the only appropriate long-term solution.
If there's ever a cyber 9/11, as Lessig discussed at:
http://news.slashdot.org/article.pl?sid=08/08/05/220229
widespread DNS cache poisoning might be one of the root causes.
I'd like to hear from VeriSign as to whether they're planning to implement DNSSEC or a secure DNS alternative for .com/net, as PIR intends for .org.
Sincerely,
George Kirikos http://www.kirikos.com/
--- George Kirikos <gkirikos@yahoo.com> wrote:
Hello,
ICANN and VeriSign have been oddly quiet over the entire DNS cache poisoning issue:
http://www.kb.cert.org/vuls/id/800113 http://www.circleid.com/posts/87143_dns_not_a_guessing_game/ http://it.slashdot.org/article.pl?sid=08/07/08/195225&tid=172
PIR has a pending proposal to implement DNSSEC for .org:
http://www.icann.org/registries/rsep/
Is that something that VeriSign has plans to accelerate for the important .com and .net registries, in order to prevent a long-term meltdown in DNS confidence/trust should DNS cache poisoning become widespread in August and beyond?
No need for a "formal" press release, but I think the community deserves to know that people are working on the long-term solution to this problem, and making it a higher priority relative to other lesser issues.
Point #14 in the latest policy newsletter appears to be the only "hint" that a few people are working on things:
http://www.icann.org/topics/policy/update-jul08.htm#14
Hopefully something will happen before Cairo, as by then there might be widespread disruptions to the internet. Perhaps the Board might want to consider an early special meeting this week or next:
instead of waiting until July 31st, in conjunction with the SSAC.
Sincerely,
George Kirikos http://www.kirikos.com/
Regards, Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827