All, Of course Joe and Kaminsky are correct and have been for years. Yet ICANN and the ISC have been unable or unwilling to do the right thing. Well that's a shame, a very huge shame indeed. We, took matters into our own hands as did Bernstein, and desinged our own BIND product. To date, no security holes recognized. -------- Original Message -------- Subject: [ga] FYI Fwd: Kaminsky on djbdns bugs Date: Sat, 9 Aug 2008 10:44:32 -0400 From: "Joe Baptista" <baptista@publicroot.org> To: Ga <ga@gnso.icann.org> FYI ---------- Forwarded message ---------- From: Joe Baptista<baptista@publicroot.org> Date: Sat, Aug 9, 2008 at 10:42 AM Subject: Re: Kaminsky on djbdns bugs To: Erwin Hoffmann <feh@fehcom.de> Cc: dns@list.cr.yp.to Hi, On Fri, Aug 8, 2008 at 11:33 AM, Erwin Hoffmann <feh@fehcom.de> wrote: Hi, At 03:42 08.08.2008 +0000, D. J. Bernstein wrote: Kyle Wheeler writes: > That makes it easier for an attacker to guess the right number, but > only somewhat (your chances per-guess go from one in four billion to, > say, thirty in four billion). This criticism of djbdns seems > somewhat... well, specious. http://cr.yp.to/djbdns/forgery.html has, for several years, stated the results of exactly this attack: The dnscache program uses a cryptographic generator for the ID and query port to make them extremely difficult to predict. However, * an attacker who makes a few billion random guesses is likely to succeed at least once; * tens of millions of guesses are adequate with a colliding attack; etc. The same page also states bilateral and unilateral workarounds that would raise the number of guesses to "practically impossible"; but then focuses on the real problem, namely that "attackers with access to the network would still be able to forge DNS responses." Yes. I've posted years ago an URL to tinydns.org (originating from Security Focus) with a very careful analyis about the above topic Kaminsky claims now to be a new affair -- however, the link has been removed (I can post a copy of the article in PDF format on request). i'd be interested in seeing it. Most of what Kaminsky discusses is pretty old and well know - obviously except for the BIND guys (regarding DNS). The BIND guys know it. The BIND guys patch BIND every year. But it so half assed. How many versions of BIND have been published to address security issue. Answer - every single one. I've complained for years about this. Especially to the internet DNS pirates at ICANN. It goes no where. What pisses me off is that they have the resources to do a good job but don't. From their point of view it seems every BIND vulnerability is a marketing opportunity. It has been either an attempt to use the security issue to deny users access to port 53 or in this case an attempt to market a crappy protocol like DNSSEC - which is in my opinion an attempt by a technical community to give control of the root to the 13 root gods. Even worse; here in Germany on the Heise ticker, there es more confusion regarding MacOS an the missing dnslib patches from Apple (sailing on the waves of Kaminsky's 'discoveries'). The common misunderstandings about the roles of the stub-resolver, the dns-cache/full-resolver, and the dns-content-server seem to be persistent; in particular in spite of DNSSEC. regards. --eh. (The german reading folks may have a look in the 2nd edition of my book "Technik der IP-Netze" which explains DNS -- I shall translate that chapter into english and make in public available; any volonteers?) Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24 -- Joe Baptista www.publicroot.org PublicRoot Consortium ---------------------------------------------------------------- The future of the Internet is Open, Transparent, Inclusive, Representative & Accountable to the Internet community @large. ---------------------------------------------------------------- Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084 -- Joe Baptista www.publicroot.org PublicRoot Consortium ---------------------------------------------------------------- The future of the Internet is Open, Transparent, Inclusive, Representative & Accountable to the Internet community @large. ---------------------------------------------------------------- Office: +1 (360) 526-6077 (extension 052) Fax: +1 (509) 479-0084 Regards, Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!) "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com My Phone: 214-244-4827