On Wed, 30 Jul 2008 07:57:49 -0700, Bill Shupp <[EMAIL PROTECTED]> wrote: > In case anyone hasn't seen this thread: > > http://marc.info/?l=djbdns&m=121561642400807&w=2
Here's a quick summary: In short, tinydns is not vulnerable as it is not a cache. dnscache, thus far, is not vulnerable. However, the "fix" for vulnerable DNS caches is merely to add more randomness and possible combinations to guess. It is *NOT* a complete fix, but merely a temporary shim. Currently, an unpatched cache is vulnerable in approximately 10 seconds. With this fix in place, it can take up to 8 days of continuous attempts. The thought is that the operator of the cache should notice the activity with enough time to respond. DNSSEC is being touted as the "true" fix for this. If you're a djb user, he has stated that DNSSEC is basically broken at the moment and possibly not worth the effort. I haven't done enough research either way to make a decision. The details of the exploit have basically been made public at this point, and confirmed by Dan Kaminsky, the one who found the vulnerability. I have a writeup about it in my blog[1] if you're interested. There may be additional details during blackhat on August 7th, though. In short, I have to agree with Dan, Paul, and the rest of the people raising the alarm. This is fairly serious, and if you are using a vulnerable cache, please get the patch installed. If you have a cache behind a firewall or NAT that does not randomize ports, you are also vulnerable (EVEN IF YOU PATCH!), so be aware and look into getting that fixed as well. > Regards, > > Bill 1) http://blog.godshell.com/blog/index.php?/archives/157-Steal-the-Nets-Identity.html -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
