Re: Multiple DNS implementations vulnerable to cache poisoning

On Jul 11, 2008, at 7:58 AM, Tuc at T-B-O-H.NET wrote: Reading through the JavaScript that drives , it appears to be pretty easy to write a non-AJAX client to query Dan's service. I threw one together in perl, named "noclicky", that allows you to use Dan's service a

Re: Multiple DNS implementations vulnerable to cache poisoning

> Reading through the JavaScript that drives , > it appears to be pretty easy to write a non-AJAX client to query Dan's > service. I threw one together in perl, named "noclicky", that allows you > to use Dan's service against any nameserver specified on the command line. >

Re: Multiple DNS implementations vulnerable to cache poisoning

At 10:24 AM -0700 7/10/08, David Conrad wrote: >Already gotten a hint that something along these lines would be >desirable for LAX. I can propose something to the PC -- which would >be more useful for folks, a more general DNSSEC signing workshop or a >focused presentation on IANA's stuff? > >Rega

Re: Multiple DNS implementations vulnerable to cache poisoning

At 11:08 AM -0400 7/10/08, Christopher Morrow wrote: >On Thu, Jul 10, 2008 at 10:22 AM, Wes Hardaker <[EMAIL PROTECTED]> wrote: >>> On Wed, 9 Jul 2008 22:55:05 -0400, "Christopher Morrow" >>><[EMAIL PROTECTED]> said: >> > aside from just getting some cctlds signed, i will be interested

RE: Multiple DNS implementations vulnerable to cache poisoning

https://www.dns-oarc.net -Original Message- From: Michael Sinatra [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2008 1:13 PM To: Jay R. Ashworth Cc: nanog@nanog.org Subject: Re: Multiple DNS implementations vulnerable to cache poisoning On 07/10/08 11:03, Jay R. Ashworth wrote

Re: Multiple DNS implementations vulnerable to cache poisoning

On 07/10/08 11:03, Jay R. Ashworth wrote: Another test, that apparently was publicized on some dnsops list: dig +short porttest.dns-oarc.net TXT The "some dnsops list" is the OARC public dns-operations list, and this posting explains the tool and briefly describes the results: http://lists.

Re: Multiple DNS implementations vulnerable to cache poisoning

Another test, that apparently was publicized on some dnsops list: dig +short porttest.dns-oarc.net TXT Cheers, -- jra -- Jay R. Ashworth Baylink [EMAIL PROTECTED] Designer The Things I Think RFC 2100 Ashworth & Asso

RE: Multiple DNS implementations vulnerable to cache poisoning

> -Original Message- > From: David Conrad [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 10, 2008 1:26 PM > To: Martin Hannigan > Cc: [EMAIL PROTECTED] > Subject: Re: Multiple DNS implementations vulnerable to cache poisoning > > > On Jul 9, 2008, at 8:2

Re: Multiple DNS implementations vulnerable to cache poisoning

In a message written on Wed, Jul 09, 2008 at 12:30:08PM -0700, David Conrad wrote: > for root signing. The fact that root zone data you receive from the > root servers is not signed may suggest that there is a bit more that > needs to be done and pretty much all of that is NOT something ICANN

Re: Multiple DNS implementations vulnerable to cache poisoning

On Jul 10, 2008, at 2:59 AM, Joao Damas wrote: PS: I would also want a copy of, or a secure method to access, the public part of the keys you use to sign those ccTLDs so I can place them in ISC's DLV registry IANA's 'interim trust anchor repository' will be publicly accessible (of course).

Re: Multiple DNS implementations vulnerable to cache poisoning

On Jul 9, 2008, at 8:27 PM, Martin Hannigan wrote: If there is sufficient interest, we could do a bar bof to describe some of the tools IANA has... I think Sandy Murphy or other Sparta folks have presented some of the work they've done on this... Perhaps finding one/some of them and having a

Re: Multiple DNS implementations vulnerable to cache poisoning

Already gotten a hint that something along these lines would be desirable for LAX. I can propose something to the PC -- which would be more useful for folks, a more general DNSSEC signing workshop or a focused presentation on IANA's stuff? Regards, -drc On Jul 9, 2008, at 7:55 PM, Christo

Re: Multiple DNS implementations vulnerable to cache poisoning

On Thu, Jul 10, 2008 at 10:22 AM, Wes Hardaker <[EMAIL PROTECTED]> wrote: >> On Wed, 9 Jul 2008 22:55:05 -0400, "Christopher Morrow" <[EMAIL >> PROTECTED]> said: > aside from just getting some cctlds signed, i will be interested in the tools, usability, work flow, ... i.e. what

Re: Multiple DNS implementations vulnerable to cache poisoning

Eric Davis (eric) writes: > Anyone using Infoblox DNSOne? They claimed to have fixed their BIND version > but I still see issues with source ports staying the same. Which version are you running of the OS ?

Re: Multiple DNS implementations vulnerable to cache poisoning

I would love to get input on that be it in Dublin or elsewhere, both sides: the authoritative server and the recursive validator. We have ideas and want to do this but I will not claim to be the owner of THE TRUTH, so input is much desired. Joao PS: I would also want a copy of, or a secure

Re: Multiple DNS implementations vulnerable to cache poisoning

On Wed, Jul 9, 2008 at 11:27 PM, Martin Hannigan <[EMAIL PROTECTED]> wrote: > On Wed, Jul 9, 2008 at 10:55 PM, Christopher Morrow > <[EMAIL PROTECTED]> wrote: >> I think Sandy Murphy or other Sparta folks have presented some of the >> work they've done on this... Perhaps finding one/some of them an

Re: Multiple DNS implementations vulnerable to cache poisoning

On Wed, Jul 9, 2008 at 10:55 PM, Christopher Morrow <[EMAIL PROTECTED]> wrote: > On Wed, Jul 9, 2008 at 7:28 PM, David Conrad <[EMAIL PROTECTED]> wrote: >> On Jul 9, 2008, at 4:17 PM, Randy Bush wrote: >>> >>> aside from just getting some cctlds signed, i will be interested in the >>> tools, usabil

Re: Multiple DNS implementations vulnerable to cache poisoning

On Wed, Jul 9, 2008 at 7:28 PM, David Conrad <[EMAIL PROTECTED]> wrote: > On Jul 9, 2008, at 4:17 PM, Randy Bush wrote: >> >> aside from just getting some cctlds signed, i will be interested in the >> tools, usability, work flow, ... i.e. what is it like for a poor >> innocent cctld which wants to

Re: Multiple DNS implementations vulnerable to cache poisoning

David Conrad wrote: On Jul 9, 2008, at 4:17 PM, Randy Bush wrote: aside from just getting some cctlds signed, i will be interested in the tools, usability, work flow, ... i.e. what is it like for a poor innocent cctld which wants to sign their zone? If there is sufficient interest, we could d

Re: Multiple DNS implementations vulnerable to cache poisoning

>> aside from just getting some cctlds signed, i will be interested in >> the tools, usability, work flow, ... i.e. what is it like for a >> poor innocent cctld which wants to sign their zone? > If there is sufficient interest, we could do a bar bof to describe > some of the tools IANA has... sou

Re: Multiple DNS implementations vulnerable to cache poisoning

On Jul 9, 2008, at 4:17 PM, Randy Bush wrote: aside from just getting some cctlds signed, i will be interested in the tools, usability, work flow, ... i.e. what is it like for a poor innocent cctld which wants to sign their zone? If there is sufficient interest, we could do a bar bof to desc

Re: Multiple DNS implementations vulnerable to cache poisoning

David Conrad wrote: >>> There are 4 ccTLDs (se, bg, pr, br) that are signed. >> wanna crawl in a corner in dublin and i can sign a few? > Love to. We can also put your trust anchors in the prototype ITAR (see > the first part of > https://par.icann.org/files/paris/IANAReportKim_24Jun08.pdf). asid

Re: Multiple DNS implementations vulnerable to cache poisoning

Love to. We can also put your trust anchors in the prototype ITAR (see the first part of https://par.icann.org/files/paris/IANAReportKim_24Jun08.pdf) . Regards, -drc On Jul 9, 2008, at 2:52 PM, Randy Bush wrote: There are 4 ccTLDs (se, bg, pr, br) that are signed. wanna crawl in a corner

Re: Multiple DNS implementations vulnerable to cache poisoning

> There are 4 ccTLDs (se, bg, pr, br) that are signed. wanna crawl in a corner in dublin and i can sign a few? randy

RE: Multiple DNS implementations vulnerable to cache poisoning

:[EMAIL PROTECTED] Sent: Wednesday, July 09, 2008 4:15 PM To: [EMAIL PROTECTED] Subject: Re: Multiple DNS implementations vulnerable to cache poisoning On Jul 9, 2008, at 4:07 PM, Fernando Gont wrote: > At 12:41 p.m. 09/07/2008, Steven M. Bellovin wrote: > >> It's worth noting that

Re: Multiple DNS implementations vulnerable to cache poisoning

On Jul 9, 2008, at 4:07 PM, Fernando Gont wrote: At 12:41 p.m. 09/07/2008, Steven M. Bellovin wrote: It's worth noting that the basic idea of the attack isn't new. Paul Vixie described it in 1995 at the Usenix Security Conference (http://www.usenix.org/publications/library/proceedings/security

Re: Multiple DNS implementations vulnerable to cache poisoning

At 12:41 p.m. 09/07/2008, Steven M. Bellovin wrote: It's worth noting that the basic idea of the attack isn't new. Paul Vixie described it in 1995 at the Usenix Security Conference (http://www.usenix.org/publications/library/proceedings/security95/vixie.html) -- in a section titled "What We Can

Re: Multiple DNS implementations vulnerable to cache poisoning

On Jul 9, 2008, at 10:39 AM, <[EMAIL PROTECTED]> <[EMAIL PROTECTED] > wrote: Pressure your local ICANN officers? Mmph. https://ns.iana.org/dnssec/status.html (it's out of ICANN's hands) Huh!? ... It sounds like ICANN has the matter well in hand to me given that it is only responsible for the

RE: Multiple DNS implementations vulnerable to cache poisoning

[ snip ] > My point was really, how do we get dns-sec rolling? From the top-down > that's 'bug icann' right? and from the bottom-up that's: It's from the bottom up, not the top down, that might be most effective here. -M<

Re: Multiple DNS implementations vulnerable to cache poisoning

On Wed, Jul 09, 2008 at 12:05:38PM -0400, Christopher Morrow wrote: > get the root zone signed, get com/net/org/ccTLD's signed.. oh wait, > that's not nanog... doh! > > Pressure your local ICANN officers? One of the commenters on Slashdot, who did not sound entirely like a crank, says the root zo

Re: Multiple DNS implementations vulnerable to cache poisoning

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Sean Donelan <[EMAIL PROTECTED]> wrote: >On Wed, 9 Jul 2008, Steven M. Bellovin wrote: >> How many ISPs run DNS servers for customers? Start by signing those >> zones -- that has to be done in any event. Set up caching resolvers to >> verify si

Re: Multiple DNS implementations vulnerable to cache poisoning

On Wed, 9 Jul 2008, Steven M. Bellovin wrote: How many ISPs run DNS servers for customers? Start by signing those zones -- that has to be done in any event. Set up caching resolvers to verify signatures. "It is not your part to finish the task, yet you are not free to desist from it." (From t

Re: Multiple DNS implementations vulnerable to cache poisoning

On Wed, 9 Jul 2008 13:06:53 -0400 "Christopher Morrow" <[EMAIL PROTECTED]> wrote: > On Wed, Jul 9, 2008 at 12:11 PM, Steven M. Bellovin > <[EMAIL PROTECTED]> wrote: > > On Wed, 9 Jul 2008 12:05:38 -0400 > > "Christopher Morrow" <[EMAIL PROTECTED]> wrote: > >> Pressure your local ICANN officers? >

RE: Multiple DNS implementations vulnerable to cache poisoning

> > Pressure your local ICANN officers? > > Mmph. https://ns.iana.org/dnssec/status.html > > (it's out of ICANN's hands) Huh!? Then what does this following statement refer to? (c) 2008 The Internet Corporation for Assigned Names and Numbers. I found that at the bottom of the IANA page whose

Re: Multiple DNS implementations vulnerable to cache poisoning

On Wed, Jul 9, 2008 at 12:11 PM, Steven M. Bellovin <[EMAIL PROTECTED]> wrote: > On Wed, 9 Jul 2008 12:05:38 -0400 > "Christopher Morrow" <[EMAIL PROTECTED]> wrote: >> Pressure your local ICANN officers? >> > How many ISPs run DNS servers for customers? Start by signing those This is likely going

Re: Multiple DNS implementations vulnerable to cache poisoning

On Jul 9, 2008, at 9:05 AM, Christopher Morrow wrote: Understanding that immediate DNSSEC deployment is not a realistic expectation..." I wonder what NANOG folk can do about the second part of that quote... get the root zone signed, get com/net/org/ccTLD's signed.. oh wait, There are 4 ccTLD

Re: Multiple DNS implementations vulnerable to cache poisoning

On 9 Jul 2008, at 12:05, Christopher Morrow wrote: On Wed, Jul 9, 2008 at 11:41 AM, Steven M. Bellovin <[EMAIL PROTECTED] > wrote: The ISC web page on the attack notes "DNSSEC is the only definitive solution for this issue. Understanding that immediate DNSSEC deployment is not a realistic

Re: Multiple DNS implementations vulnerable to cache poisoning

On Wed, 9 Jul 2008 12:05:38 -0400 "Christopher Morrow" <[EMAIL PROTECTED]> wrote: > On Wed, Jul 9, 2008 at 11:41 AM, Steven M. Bellovin > <[EMAIL PROTECTED]> wrote: > > > The ISC web page on the attack notes "DNSSEC is the only definitive > > solution for this issue. Understanding that immediate

Re: Multiple DNS implementations vulnerable to cache poisoning

On Wed, Jul 9, 2008 at 11:41 AM, Steven M. Bellovin <[EMAIL PROTECTED]> wrote: > The ISC web page on the attack notes "DNSSEC is the only definitive > solution for this issue. Understanding that immediate DNSSEC deployment > is not a realistic expectation..." I wonder what NANOG folk can do > abo

Re: Multiple DNS implementations vulnerable to cache poisoning

On Tue, 8 Jul 2008 13:48:57 -0700 "Buhrmaster, Gary" <[EMAIL PROTECTED]> wrote: > > Multiple DNS implementations vulnerable to cache poisoning: > > http://www.kb.cert.org/vuls/id/800113 > > (A widely coordinated vendor announcement. As always, > check

Re: Multiple DNS implementations vulnerable to cache poisoning

On Wed, Jul 09, 2008 at 02:38:38PM +0100, Simon Waters wrote: > On Wednesday 09 July 2008 14:16:53 Jay R. Ashworth wrote: > > On Wed, Jul 09, 2008 at 04:39:49AM -0400, Jean-Fran?ois Mezei wrote: > > > My DNS server made the various DNS requests from the same port and is > > > thus vulnerable. (VMS

Re: Multiple DNS implementations vulnerable to cache poisoning

On Wednesday 09 July 2008 14:16:53 Jay R. Ashworth wrote: > On Wed, Jul 09, 2008 at 04:39:49AM -0400, Jean-Fran?ois Mezei wrote: > > My DNS server made the various DNS requests from the same port and is > > thus vulnerable. (VMS TCPIP Services so no patches expected). > > Well, yes, but unless I've

Re: Multiple DNS implementations vulnerable to cache poisoning

On Wed, Jul 09, 2008 at 04:39:49AM -0400, Jean-Fran?ois Mezei wrote: > My DNS server made the various DNS requests from the same port and is > thus vulnerable. (VMS TCPIP Services so no patches expected). Well, yes, but unless I've badly misunderstood the situation, all that's necessary to mitigat

Re: Multiple DNS implementations vulnerable to cache poisoning

> > surely the tool is not focused at a dns operator/admin audience.. > > I suspect the tool's form might partly be meant to obscure exactly what > patterns it is looking for. > Kind of how one might release a vulnerability checker in binary form > (but with source code intentionally witheld)

Re: Multiple DNS implementations vulnerable to cache poisoning

Michael C. Toren wrote: > bash$ ./noclicky 68.87.76.181 > Looking up r14z2k52m6uj.toorrr.com against 68.87.76.181 > Fetching http://209.200.168.66/fprint/r14z2k52m6uj > Requests seen for r14z2k52m6uj.toorrr.com: > 68.87.76.181:17244 TXID=23113 >

Re: Multiple DNS implementations vulnerable to cache poisoning

On Tue, Jul 08, 2008 at 06:26:01PM -0700, Lynda wrote: > Owen DeLong wrote: > > The tool, unfortunately, only goes after the server it thinks you are > > using to recurse from the client where you're running your browser. > > > > This makes it hard to test servers being used in production > > envir

Re: Multiple DNS implementations vulnerable to cache poisoning

Once upon a time, Jean-François Mezei <[EMAIL PROTECTED]> said: > The tool uses my internet facing IP as my DNS server and tells me I am > vulnerable. Since, from the internet, connecting to that IP at port 53 > will not get you to a DNS server, I find the tool's conclusion rather > without much va

Re: Multiple DNS implementations vulnerable to cache poisoning

Re: the tool My DNS server does not serve the outside world. Incoming packets to port 53 are NAT directed to an non-existant IP on the LAN. The tool uses my internet facing IP as my DNS server and tells me I am vulnerable. Since, from the internet, connecting to that IP at port 53 will not get yo

Re: Multiple DNS implementations vulnerable to cache poisoning

Christian Koch wrote: surely the tool is not focused at a dns operator/admin audience.. I suspect the tool's form might partly be meant to obscure exactly what patterns it is looking for. Kind of how one might release a vulnerability checker in binary form (but with source code intentionally

Re: Multiple DNS implementations vulnerable to cache poisoning

On Tue, Jul 08, 2008 at 05:12:04PM -0700, Lynda wrote: > The forum link also has a link to Dan's tool, where you can see if your > DNS server is vulnerable. As a /.er noted, running that tool after *accessing it via DNS* may not tell you anything, and I don't know that Kaminsky has himself public

Re: Multiple DNS implementations vulnerable to cache poisoning

On Tue, Jul 8, 2008 at 8:26 PM, Lynda <[EMAIL PROTECTED]> wrote: > > Audio of Dan's press interview: > > https://media.blackhat.com/webinars/...conference.mp3 Actual URL: https://media.blackhat.com/webinars/blackhat-kaminsky-dns-press-conference.mp3 Jeff

Re: Multiple DNS implementations vulnerable to cache poisoning

Owen DeLong wrote: The tool, unfortunately, only goes after the server it thinks you are using to recurse from the client where you're running your browser. This makes it hard to test servers being used in production environments without GUIs. The tool is not Lynx compatible. Figures. It's b

Re: Multiple DNS implementations vulnerable to cache poisoning

surely the tool is not focused at a dns operator/admin audience.. On Tue, Jul 8, 2008 at 8:20 PM, Owen DeLong <[EMAIL PROTECTED]> wrote: > The tool, unfortunately, only goes after the server it thinks you are using > to > recurse from the client where you're running your browser. > > This make

Re: Multiple DNS implementations vulnerable to cache poisoning

The tool, unfortunately, only goes after the server it thinks you are using to recurse from the client where you're running your browser. This makes it hard to test servers being used in production environments without GUIs. The tool is not Lynx compatible. Owen On Jul 8, 2008, at 5:12 PM, L

Re: Multiple DNS implementations vulnerable to cache poisoning

This is also being covered over on the Defcon Forums. Jeff Moss has said that he'll post the link to the interview that Kaminsky is doing right now, after it's over. Here's the link to the Forum discussion: https://forum.defcon.org/showthread.php?t=9547 The forum link also has a link to Dan's

Re: Multiple DNS implementations vulnerable to cache poisoning

On Tue, Jul 08, 2008 at 07:20:05PM -0400, Jay R. Ashworth wrote: > Obligatory Slashdot link: > http://it.slashdot.org/article.pl?sid=08/07/08/195225 Additional coverage: http://news.cnet.com/8301-10789_3-9985815-57.html http://news.cnet.com/8301-10789_3-9985826-57.html ht

Re: Multiple DNS implementations vulnerable to cache poisoning

On Tue, Jul 08, 2008 at 01:48:57PM -0700, Buhrmaster, Gary wrote: > Multiple DNS implementations vulnerable to cache poisoning: > > http://www.kb.cert.org/vuls/id/800113 > > (A widely coordinated vendor announcement. As always, > check with your vendor(s) for patch status.) O

Multiple DNS implementations vulnerable to cache poisoning

Multiple DNS implementations vulnerable to cache poisoning: http://www.kb.cert.org/vuls/id/800113 (A widely coordinated vendor announcement. As always, check with your vendor(s) for patch status.) Gary