* Jack Lloyd:
Perhaps there is something subtle here that is more dangerous than the
well known problems, and all these source port randomization and
transaction id randomization fixes are just a smokescreen of sorts for
a fix for something Dan found.
It's not a smokescreen, it's a
CERT/CC mentions this:
| It is important to note that without changes to the DNS protocol, such
| as those that the DNS Security Extensions (DNSSEC) introduce, these
| mitigations cannot completely prevent cache poisoning.
Why wouldn't switching to TCP lookups solve the problem? It's
arguably
* John Levine:
CERT/CC mentions this:
| It is important to note that without changes to the DNS protocol, such
| as those that the DNS Security Extensions (DNSSEC) introduce, these
| mitigations cannot completely prevent cache poisoning.
Why wouldn't switching to TCP lookups solve the problem?
On Mon, 14 Jul 2008 16:27:58 +0200
Florian Weimer [EMAIL PROTECTED] wrote:
On top of that, some operators decided not to offer TCP service at
all.
Right. There's a common misconception, on both security and network
operator mailing lists, that DNS servers use TCP only for zone
transfers, and
At 4:27 PM +0200 7/14/08, Florian Weimer wrote:
Implementors say that in many cases, their software as it's currently
implemented can't take the load. It's not much worse than web traffic,
that's why I think it can be made to work (perhaps easier with kernel
support, who knows). But code
Udhay Shankar N wrote, On 9/7/08 5:52 PM:
I think Dan Kaminsky is on this list. Any other tidbits you can add
prior to Black Hat?
He's posted a quite long article on his blog
http://www.doxpara.com/?p=1162
that looks like all the details he is likely to provide for the next 30
days. It
* Paul Hoffman:
The take-away here is not that Dan didn't discover the problem, but
Dan got it fixed.
I haven't seen credible claims that the underlying issue can actually be
fixed in the classic DNS protocol. There are workarounds on top of
workarounds. A real fix requires more or less
I think Dan Kaminsky is on this list. Any other tidbits you can add
prior to Black Hat?
Udhay
http://www.liquidmatrix.org/blog/2008/07/08/kaminsky-breaks-dns/
Kaminsky Breaks DNS
Author: Dave Lewis
July 8, 2008 at 2:21 pm ยท Filed under Patches, Vulnerability
Well, sort of.
Today Dan
On Wed, 09 Jul 2008 11:22:58 +0530
Udhay Shankar N [EMAIL PROTECTED] wrote:
I think Dan Kaminsky is on this list. Any other tidbits you can add
prior to Black Hat?
Udhay
http://www.liquidmatrix.org/blog/2008/07/08/kaminsky-breaks-dns/
I'm curious about the details of the attack. Paul
First off, big props to Dan for getting this problem fixed in a
responsible manner. If there were widespread real attacks first, it
would take forever to get fixes out into the field.
However, we in the security circles don't need to spread the
Kaminsky finds meme. Take a look at
However, we in the security circles don't need to spread the
Kaminsky finds meme.
Quite right. Paul Vixie mentioned it in 1995, Dan Bernstein started
distributing versions of dnscache with randomized port and sequence
numbers in 2001.
The take-away here is not that Dan didn't discover the
Paul Hoffman wrote:
First off, big props to Dan for getting this problem fixed in a
responsible manner. If there were widespread real attacks first, it
would take forever to get fixes out into the field.
However, we in the security circles don't need to spread the Kaminsky
finds meme. Take a
On Wed, Jul 09, 2008 at 08:20:33AM -0700, Paul Hoffman wrote:
First off, big props to Dan for getting this problem fixed in a
responsible manner. If there were widespread real attacks first, it
would take forever to get fixes out into the field.
However, we in the security circles don't
On Wed, Jul 09, 2008 at 05:36:02PM +0100, Ben Laurie wrote:
Paul Hoffman wrote:
First off, big props to Dan for getting this problem fixed in a
responsible manner. If there were widespread real attacks first, it would
take forever to get fixes out into the field.
However, we in the security
Ben Laurie wrote:
Paul Hoffman wrote:
First off, big props to Dan for getting this problem fixed in a
responsible manner. If there were widespread real attacks first, it
would take forever to get fixes out into the field.
However, we in the security circles don't need to spread the Kaminsky
+ John Kemp [EMAIL PROTECTED]:
It does seem he would like an air of some mystery to exist though
until he makes his presentation about the issue at Defcon - did he,
himself, discover something new? We'll just have to wait, unless we
go play with the BIND code ourselves.
Unless he is merely
Steven M. Bellovin wrote:
On Wed, 09 Jul 2008 11:22:58 +0530
Udhay Shankar N [EMAIL PROTECTED] wrote:
I think Dan Kaminsky is on this list. Any other tidbits you can add
prior to Black Hat?
Udhay
http://www.liquidmatrix.org/blog/2008/07/08/kaminsky-breaks-dns/
I'm curious about the
17 matches
Mail list logo