I am not sure what you mean by `official OARC channels`, I forwarded my communication on this issue, with porttest operators, to you a month or so ago. Maybe these were not official channels, but I have not contacted OARC otherwise, via a different channel. Can you please advise how to contact OARC through official channels? Thank you.
On Tue, Oct 22, 2013 at 7:53 PM, Keith Mitchell <ke...@dns-oarc.net> wrote: > On 10/22/2013 10:52 AM, Haya Shulman wrote: > > >> Disclosing such potential vulnerabilities remains valuable work, > >> but I think careful consideration needs to be applied to the > >> engineering economics of the best operational-world mitigation > >> approaches. > > > > @/Keith Mitchell/ > > (My head is *really* hurting from this quotation formatting..)-: > (re-wrapping and indenting to list conventions...) > > > I do not advocate to deploy these or other countermeasures. Above > > any doubt you are in the best position to decide which > > countermeasures to deploy. > > Not really, OARC does not operate production service-providing > infrastructure except to support a membership organization, most of our > infrastructure is dedicated to data-gathering/testbed/research purposes. > So I defer to *real* DNS infrastructure operators and implementors on > any such judgments. > > > The situation with DNS checkers is different from deployment of port > > randomisation. DNS checkers is a very important service to the > > community and the efforts that their operators took to make them > > available is very valuable. However, an illusion of security is more > > dangerous than not being protected at all (in the later case one is > > aware that he is not protected and may be attacked). > > Fair enough. > > > I admit that I do not know what economic effort is required to patch > > DNS checkers which report per-destination ports, recommended in > > [RFC6056], as secure > > Well, more than we've been able to dedicate in the past month or so. I'm > trying to get an estimate of this from those best placed to do the > actual work. > > > but I suggested a fix to this vulnerability some time ago, that > > should be fairly simple to implement; > > Yes, but as I explained privately previously, there is no record of this > correspondence through official OARC channels - I did request you > re-send, but I don't have a copy of it. > > > the problem with the porttest checker is that each IP address of the > > checker system receives a single query from the tested resolver, and > > so to each such IP address a random port is selected. But, if more > > than a single query were sent to each checker IP during the test, > > then the predictable sequence would be easily identified. > > Thank you for this clarification - any further points you have about the > best way to implement the fix to this would be welcome, but are likely > best taken off-list. > > Keith > > -- Haya Shulman Technische Universität Darmstadt**** FB Informatik/EC SPRIDE**** Mornewegstr. 30**** 64293 Darmstadt**** Tel. +49 6151 16-75540**** www.ec-spride.de
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs