most of what u wrote i actually agree with, let me just say a few
things where you need to adjust.
On Tue, Jul 15, 2008 at 3:48 PM, n3td3v <[EMAIL PROTECTED]> wrote:
> Does he go to jail if he breaks the secrecy, or is this his own little
> crusade of half-disclosure?
no, but i am sure he has som
--On July 15, 2008 10:22:56 PM -0400 [EMAIL PROTECTED] wrote:
On Tue, 15 Jul 2008 20:46:57 CDT, Paul Schmehl said:
Perhaps that's because a cert problem on a web server breaks a single
webserver. A cert problem with dns breaks an entire domain.
On the flip side, if you busticate DNS for the
On Tue, 15 Jul 2008 20:46:57 CDT, Paul Schmehl said:
> Perhaps that's because a cert problem on a web server breaks a single
> webserver. A cert problem with dns breaks an entire domain.
On the flip side, if you busticate DNS for the entire domain, you're likely to
*notice* it and *fix* it a lot
> --On July 16, 2008 11:17:07 AM +1000 Mark Andrews <[EMAIL PROTECTED]>=20
> wrote:
>
> >> The real problem isn't signing or resigning zones, or even
> >> successfully=3D20 completing the original configuration (although those
> >> are not trivial for=3D20 the average person trying to setup their
Mark Andrews wrote:
> ... I like simple tools.
This is the list for you then -- there are lots of folk meeting the
description here...
Regards,
Nick FitzGerald
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclos
--On July 16, 2008 11:17:07 AM +1000 Mark Andrews <[EMAIL PROTECTED]>
wrote:
The real problem isn't signing or resigning zones, or even
successfully=20 completing the original configuration (although those
are not trivial for=20 the average person trying to setup their own
dns). It's the tru
> The real problem isn't signing or resigning zones, or even successfully=20
> completing the original configuration (although those are not trivial for=20
> the average person trying to setup their own dns). It's the trust=20
> anchors. Until the root is signed, trust anchors are a PITA. And u
> yes you better listen to Paul. He handles windows updates for a large
> network and was the second person to subscribe to a list full of trolls.
You might also want to listen to me. I've got a long history
with DNS and DNSSEC. A little googling will show this. My
hist
--On July 16, 2008 2:14:42 AM +1000 Mark Andrews <[EMAIL PROTECTED]>
wrote:
--On Tuesday, July 15, 2008 09:14:39 +1000 Mark Andrews
<[EMAIL PROTECTED]
>
wrote:
>And the best solution to this attack is to deploy DNSSEC.
>You don't care where the response comes from provide the
>si
yes you better listen to Paul. He handles windows updates for a large
network and was the second person to subscribe to a list full of trolls.
On Tue, Jul 15, 2008 at 10:47 AM, Paul Schmehl <[EMAIL PROTECTED]>
wrote:
> --On Tuesday, July 15, 2008 09:14:39 +1000 Mark Andrews <
> [EMAIL PROTECTED]>
> On Tue, Jul 15, 2008 at 5:14 PM, Mark Andrews <[EMAIL PROTECTED]> wrote:
> >http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf
>
> Good stuff, i recall the early stage being fairly cumbersome...
>
> Now, has there been any progress concerning the patent situation? This
> stopped m
On Tue, Jul 15, 2008 at 12:48 PM, n3td3v <[EMAIL PROTECTED]> wrote:
Who the hell are you, and what have you done with the real netdev?
That was actually an interesting read; if you continue to write like
that you'll start to change the perception people have of you.
Mike
__
On Tue, Jul 15, 2008 at 3:28 PM, Rob <[EMAIL PROTECTED]> wrote:
> Dan is sworn to secrecy until his talk, so we have to wait till then.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted
n3td3v is mad because he can't afford black hat, and no one is telling
him. so he's whining.
dan said that the patches are intentionally obfuscated.
On Tue, Jul 15, 2008 at 10:28 AM, Rob <[EMAIL PROTECTED]> wrote:
> Ureleet wrote:
>> there can be no actual exploit discussion unless you have dan
On Tue, Jul 15, 2008 at 5:14 PM, Mark Andrews <[EMAIL PROTECTED]> wrote:
>http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf
Good stuff, i recall the early stage being fairly cumbersome...
Now, has there been any progress concerning the patent situation? This
stopped me from actually
> --On Tuesday, July 15, 2008 09:14:39 +1000 Mark Andrews <[EMAIL PROTECTED]
> >
> wrote:
>
> > And the best solution to this attack is to deploy DNSSEC.
> > You don't care where the response comes from provide the
> > signatures are good.
> >
>
> Except that DNSSEC is going to have
--On Tuesday, July 15, 2008 09:14:39 +1000 Mark Andrews <[EMAIL PROTECTED]>
wrote:
>
> And the best solution to this attack is to deploy DNSSEC.
> You don't care where the response comes from provide the
> signatures are good.
>
Except that DNSSEC is going to have to improve dra
Ureleet wrote:
> there can be no actual exploit discussion unless you have dan on the
> thread. dan?
>
> On Sun, Jul 13, 2008 at 3:50 PM, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>> http://blogs.zdnet.com/security/?p=1466
>> Can someone clarify what they meant by "non-reversible patch" ?
I th
there can be no actual exploit discussion unless you have dan on the
thread. dan?
On Sun, Jul 13, 2008 at 3:50 PM, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> http://blogs.zdnet.com/security/?p=1466
> Can someone clarify what they meant by "non-reversible patch" ?
>
> http://www.debian.org/sec
> --On Monday, July 14, 2008 01:01:16 -0400 [EMAIL PROTECTED] wrote:
>
> > On Sun, 13 Jul 2008 23:30:21 CDT, "[EMAIL PROTECTED]" said:
> >
> >> And in the case of recursion, assuming the nameservers are recursive
> >> it will hit the root and fly downward looking for the zone's
> >
> > Note that
--On Monday, July 14, 2008 01:01:16 -0400 [EMAIL PROTECTED] wrote:
> On Sun, 13 Jul 2008 23:30:21 CDT, "[EMAIL PROTECTED]" said:
>
>> And in the case of recursion, assuming the nameservers are recursive
>> it will hit the root and fly downward looking for the zone's
>
> Note that the TLD nameserve
On Sun, 13 Jul 2008 23:30:21 CDT, "[EMAIL PROTECTED]" said:
> And in the case of recursion, assuming the nameservers are recursive
> it will hit the root and fly downward looking for the zone's
Note that the TLD nameservers in general won't recurse - so if you're
trying to look up www.example.com
My analysis of the problem is now that the exploitation happens when a
recursive server goes looking for a record, and in doing so opens
connections to query each nameserver it finds along the path to the
authoritative namserver.
me -> my_dns(recursive)
my_dns -> root
my_dns -> almost_auth
my_dns
Yes, the issue was side tracked a bit. And I'm sure I am
misunderstanding the issue at this point (but I'm also reading
accounts of multiple vulnerabilities so that cannot be avoided)
But normally in DNS operations, slaves and their master are placed in
an authority encapsulated domain for transfe
--On July 13, 2008 9:44:19 PM -0500 [EMAIL PROTECTED] wrote:
If the nameserver is "down" most likely the resolver is going to try a
different one. Meaning you're back to square one. Which is why I asked
what happens if the resolver recv's a response after it's been told
the nameserver is down. I
If the nameserver is "down" most likely the resolver is going to try a
different one. Meaning you're back to square one. Which is why I asked
what happens if the resolver recv's a response after it's been told
the nameserver is down. In any case, I'm not even sure how resolvers
handle dest unreacha
On Sun, Jul 13, 2008 at 5:26 PM, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> What you wrote...
please note that is not my post on that site; i merely link to it. thanks.
> Why flood with dest unreachables when your goal is to answer before
> the nameserver?
if the nameserver is "down", you
What you wrote here 'http://wari.mckay.com/~rm/dns_theroy.txt' does
not make sense. To send a legitimate ICMP dest unreachable you would
need to send back the 20 byte IP header and the first 4 bytes of the
UDP header. That means src_addr, dst_addr, src_port, dst_port. So in
reality, you've taken a
On Sun, Jul 13, 2008 at 2:27 PM, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> ...
> So on that note I'll be more direct. Has anyone actually preemptively
> written any code or reversed this issue on their own? Or just, you
> know, attempted to understand the vulnerability in detail instead of
> r
Hi Paul,
I think maybe you misinterpreted.
If the patch is there, and it is (ar x leads you right to
libisccfg.so.1 - the shared lib used by bind that has been patched)
then obviously there isn't a need to wait for Dan.
So on that note I'll be more direct. Has anyone actually preemptively
writte
--On July 13, 2008 2:50:26 PM -0500 [EMAIL PROTECTED] wrote:
http://blogs.zdnet.com/security/?p=1466
Can someone clarify what they meant by "non-reversible patch" ?
The patch changes the default behavior of dns so that queries are
responded to from random ports rather than always from the sa
http://blogs.zdnet.com/security/?p=1466
Can someone clarify what they meant by "non-reversible patch" ?
http://www.debian.org/security/2008/dsa-1603
Are these .deb patches automagical?
*scratches head*
I'm not interested in discussing the hype or scene-war aspect of this
vulnerability.
Has anyon
32 matches
Mail list logo