On 10/22/2013 10:52 AM, Haya Shulman wrote: >> Disclosing such potential vulnerabilities remains valuable work, >> but I think careful consideration needs to be applied to the >> engineering economics of the best operational-world mitigation >> approaches. > > @/Keith Mitchell/
(My head is *really* hurting from this quotation formatting..)-: (re-wrapping and indenting to list conventions...) > I do not advocate to deploy these or other countermeasures. Above > any doubt you are in the best position to decide which > countermeasures to deploy. Not really, OARC does not operate production service-providing infrastructure except to support a membership organization, most of our infrastructure is dedicated to data-gathering/testbed/research purposes. So I defer to *real* DNS infrastructure operators and implementors on any such judgments. > The situation with DNS checkers is different from deployment of port > randomisation. DNS checkers is a very important service to the > community and the efforts that their operators took to make them > available is very valuable. However, an illusion of security is more > dangerous than not being protected at all (in the later case one is > aware that he is not protected and may be attacked). Fair enough. > I admit that I do not know what economic effort is required to patch > DNS checkers which report per-destination ports, recommended in > [RFC6056], as secure Well, more than we've been able to dedicate in the past month or so. I'm trying to get an estimate of this from those best placed to do the actual work. > but I suggested a fix to this vulnerability some time ago, that > should be fairly simple to implement; Yes, but as I explained privately previously, there is no record of this correspondence through official OARC channels - I did request you re-send, but I don't have a copy of it. > the problem with the porttest checker is that each IP address of the > checker system receives a single query from the tested resolver, and > so to each such IP address a random port is selected. But, if more > than a single query were sent to each checker IP during the test, > then the predictable sequence would be easily identified. Thank you for this clarification - any further points you have about the best way to implement the fix to this would be welcome, but are likely best taken off-list. Keith _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
