This sounds pretty scary, it seems to concerns recursors and resolver-libraries. The way to solve it, is to use port randomization, which shouldn't be a big suprise to the PowerDNS-using community.
Massive, Coordinated Patch To the DNS Released [0] tkrabec alerts us to a CERT advisory announcing a massive [1], multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC [2]). Here is the executive overview (PDF [3]) to the CERT advisory ??? text reproduced at the link above. There's a podcast [4] interview with Dan Kaminsky too. His site has a DNS checker tool [5] on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediate reveal the vulnerability and reverse engineering isn't directly possible." So now the question becomes did anyone inform Bert and/or PowerDNS too ? I did find in the DOC [2]: Name: PowerDNS Status: Not Vulnerable Date Notified: 2008-05-13 11:35:05 Statement: PowerDNS Vendor Statement ------------------------- Since version 3.0, released in April 2006, the PowerDNS Recursor resolving nameserver has implemented measures that protect against the vulnerability described in CVE-2008-1447. Source ports are randomized, and 'near misses', indicating a spoofing attempt in progress, are detected, and the query is dropped. ___ I guess no patching for us (for our DNS-servers atleast) ? Thank you Bert (and DJB) ! ;-) [0] http://it.slashdot.org/it/08/07/08/195225.shtml [1] http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/ [2] http://securosis.com/publications/CERT%20Advisory.doc [3] http://securosis.com/publications/DNS-Executive-Overview.pdf [4] http://media.libsyn.com/media/mckeay/nsp-070808-ep111.mp3 [5] http://www.doxpara.com/ _____________________________________ New things are always on the horizon. _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
