[NA-Discuss] [Fwd: [ga] FYI Fwd: Kaminsky on djbdns bugs]

Fri Aug 8 19:49:48 EDT 2008

All,

  Of course Joe and Kaminsky are correct and have been for years.
Yet ICANN and the ISC have been unable or unwilling to do the
right thing.  Well that's a shame, a very huge shame indeed.  We,
took matters into our own hands as did Bernstein, and desinged
our own BIND product.  To date, no security holes recognized.

-------- Original Message --------
Subject: [ga] FYI Fwd: Kaminsky on djbdns bugs
   Date: Sat, 9 Aug 2008 10:44:32 -0400
   From: "Joe Baptista" <baptista at publicroot.org>
     To: Ga <ga at gnso.icann.org>

FYI

---------- Forwarded message ----------
From: Joe Baptista<baptista at publicroot.org>
Date: Sat, Aug 9, 2008 at 10:42 AM
Subject: Re: Kaminsky on djbdns bugs
To: Erwin Hoffmann <feh at fehcom.de>
Cc: dns at list.cr.yp.to

Hi,

On Fri, Aug 8, 2008 at 11:33 AM, Erwin Hoffmann <feh at fehcom.de> wrote:

     Hi,

     At 03:42 08.08.2008 +0000, D. J. Bernstein wrote:

          Kyle Wheeler writes:
          > That makes it easier for an attacker to guess the
          right number, but
          > only somewhat (your chances per-guess go from one
          in four billion to,
          > say, thirty in four billion). This criticism of
          djbdns seems
          > somewhat... well, specious.

          http://cr.yp.to/djbdns/forgery.html has, for several
          years, stated the
          results of exactly this attack:

            The dnscache program uses a cryptographic
          generator for the ID and
            query port to make them extremely difficult to
          predict. However,

            * an attacker who makes a few billion random
          guesses is likely to
              succeed at least once;
            * tens of millions of guesses are adequate with a
          colliding attack;

          etc. The same page also states bilateral and
          unilateral workarounds that
          would raise the number of guesses to "practically
          impossible"; but then
          focuses on the real problem, namely that "attackers
          with access to the
          network would still be able to forge DNS responses."

     Yes. I've posted years ago an URL to tinydns.org (originating
     from Security Focus) with a very careful analyis about the
     above topic Kaminsky claims now to be a new affair -- however,
     the link has been removed (I can post a copy of the article in
     PDF format on request).

i'd be interested in seeing it.

     Most of what Kaminsky discusses is pretty old and well know  -
     obviously except for the BIND guys (regarding DNS).

The BIND guys know it.  The BIND guys patch BIND every year.  But it so
half assed.  How many versions of BIND have been published to address
security issue. Answer - every single one.

I've complained for years about this.  Especially to the internet DNS
pirates at ICANN.  It goes no where.  What pisses me off is that they
have the resources to do a good job but don't.  From their point of view
it seems every BIND vulnerability is a marketing opportunity.  It has
been either an attempt to use the security issue to deny users access to
port 53 or in this case an attempt to market a crappy protocol like
DNSSEC - which is in my opinion an attempt by a technical community to
give control of the root to the 13 root gods.

     Even worse; here in Germany on the Heise ticker, there es more
     confusion regarding MacOS an the missing dnslib patches from
     Apple (sailing on the waves of Kaminsky's 'discoveries'). The
     common misunderstandings about the roles of the stub-resolver,
     the dns-cache/full-resolver, and the dns-content-server seem
     to be persistent; in particular in spite of DNSSEC.

     regards.
     --eh.

     (The german reading folks may have a look in the 2nd edition
     of my book "Technik der IP-Netze" which explains DNS -- I
     shall translate that chapter into english and make in public
     available; any volonteers?)

     Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/
     Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24

--
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive,
Representative & Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084

--
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive,
Representative & Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084

Regards,

Spokesman for INEGroup LLA. - (Over 281k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1 at ix.netcom.com
My Phone: 214-244-4827