Let's hope some very large service providers get their act together
real soon now.There is always a tension between discovery, changing, testing and
finally deployment.
Sure, I can empathize, to a certain extent. But this issue has
been known for 2+ weeks now.
Not sure I can be very empathic now, given the seriousness, and the
proper warning ISPs have been given.
$.02,
- - ferg
Sure, I can empathize, to a certain extent. But this issue has
been known for 2+ weeks now.
Well we knew about the DNS issues since long time ago (20+yrs perhaps?),
so the issue is not new, just the exploit is more easy to put together and
chances for it to succeed are much higher.
As I mentioned in another message, perhaps its time to get serious about
DNSSEC, where are we on this front ?
Cheers
Jorge
Also recognize some of the simple testing tools get a bit confused
by some of the more complex DNS configurations used by the mega-ISP
DNS clusters; and generate false positives (and maybe even false
negative) results. You can see it happens when the testing tool
reports widely different number of queries checked.
Several of the ISPs with complex DNS clusters are patching and upgrading
them; however the current state of some of the patches wouldn't support
the query load those providers normally experience. So they've been
working on alternative mitigation strategies. However, its difficult
to now if the alternative strategies actually mitigate the actual threat
without knowing the actual threat.
And finally, there probably are some providers who haven't made plans to
change their DNS. Unfortunately, the testing tools can't read minds (yet), so its difficult to know which ISPs are in this category.
This is important. Kaminsky took a known concept and did the hard
engineering work to make it feasible. To slightly misuse a quote
that's more often applied to crypto, "amateurs worry about algorithms;
pros worry about economics". The economics of the attack have now
changed. (And we need to get DNSSEC deployed before they change even
further.)
--Steve Bellovin, http://www.cs.columbia.edu/~smb
... economics of the attack have now
changed. (And we need to get DNSSEC deployed before they change even
further.)
Amen.
jmamodio@gmail.com ("Jorge Amodio") writes:
As I mentioned in another message, perhaps its time to get serious about
DNSSEC, where are we on this front ?
still waiting for US-DoC to give ICANN permission to sign the root zone.
jmamodio@gmail.com ("Jorge Amodio") writes:
As I mentioned in another message, perhaps its time to get serious about
DNSSEC, where are we on this front ?
Still waiting for US-DoC to give ICANN/IANA permission to sign the root zone.
Neil Suryakant Patel is the nominee for AS for Communications and Information at DoC. If he's in the loop, even "advisory pending ...", and as a Cheney staffer (intially staff secretary, now as a domestic and economic policy adviser), that's possible, then adjust expectations accordingly.
Paul Vixie wrote:
The problem is, once the ICANNt root is self-signed, the hope of ever
revoking that dysfunctional mess as authority is gone.
Perhaps the IETF or DoC should sign the root, that way we have a prayer
of wresting control from ICANN, as opposed to paying a tax, in
perpetuity, for registration services to an unaccountable, unelected,
and imperious body?
Some of us don't think the UN/EU/ITU are good models for governance.
IE: Separation of powers. ICANN/IANA is granted (interim) authority to
operate, but some other governing body signs.
The problem is, once the ICANNt root is self-signed, the hope of ever
revoking that dysfunctional mess as authority is gone.
Sorry, I don't follow -- sounds like FUD to me. Care to explain this?
As far as I'm aware, as long as the KSK isn't compromised, changing the organization who holds the KSK simply means waiting until the next KSK rollover and have somebody else do the signing.
Perhaps the IETF
You mean oh say IANA?
or DoC
That'll be popular in the international community.
should sign the root, that way we have a prayer
of wresting control from ICANN, as opposed to paying a tax, in
perpetuity, for registration services to an unaccountable, unelected,
and imperious body?
Registration fees are unrelated to signing the root, but thanks for the gratuitous ICANN bashing. It was missing in this thread -- I was wondering when it would show up.
Some of us don't think the UN/EU/ITU are good models for governance.
Indeed.
IE: Separation of powers. ICANN/IANA is granted (interim) authority to
operate, but some other governing body signs.
So you want to increase the role ICANN/IANA has in root zone management. Interesting.
Regards,
-drc
That's true if the ICANN KSK is signed *by some other entity* - that entity
can then force a change by signing some *other* KSK for the next rollover.
If the ICANN key is self-signed as Tomas hypothesizes, then that leverage
evaporates.
If
The problem is, once the ICANNt root is self-signed, the hope of ever
revoking that dysfunctional mess as authority is gone.
that sounds like the kind of foot-dragging that could be holding this up.
Perhaps the IETF or DoC should sign the root, that way we have a prayer
of wresting control from ICANN, as opposed to paying a tax, in
perpetuity, for registration services to an unaccountable, unelected,
and imperious body?
apparently when the internet was invented nobody gave any thought to all
kinds of stuff including classful addressing (how were we going to route
16 million class C's anyway?), settlements (aren't AS701 and LVLT also
somewhat imperious?), unwanted traffic (spam, DoS), address space longevity
and/or conservation, routing table bloat and churn, traffic source
authenticity (UDP, SMTP, syslog, ICMP, you name it)... and now you're
trying to say that we don't know how to govern it long-term either?
Some of us don't think the UN/EU/ITU are good models for governance.
probably most of us. however, there are certain things that can only get
done that way (country code assignments in postal and telephony space for
example) and i try to keep this in mind and continually forgive those who
mistakenly believe that IP addresses or domain names are like that at all.
IE: Separation of powers. ICANN/IANA is granted (interim) authority to
operate, but some other governing body signs.
the other party would have to sign every change. probably that's what will
happen, IANA will edit, USG will hire some beltway bandit to hold the keys
and do the signing, and then the rootops will publish. and i'm ok with
that except that it's taking too long to get it going, and i can't seem to
find the person whose desk it's sitting on so that i can offer them my help.
(noting that they may not need or want my help, but i'd rather offer my
help than just sit back and complain.)
Valdis,
The problem is, once the ICANNt root is self-signed, the hope of ever
revoking that dysfunctional mess as authority is gone.As far as I'm aware, as long as the KSK isn't compromised, changing
the organization who holds the KSK simply means waiting until the next
KSK rollover and have somebody else do the signing.That's true if the ICANN KSK is signed *by some other entity* - that entity
can then force a change by signing some *other* KSK for the next rollover.If the ICANN key is self-signed as Tomas hypothesizes, then that leverage
evaporates.
Except it doesn't work like that. As has been presented in numerous places (RIPE, ICANN, etc.), Richard Lamb has been working with the usual suspects (the Swedish DNSSEC mafia, NLNetLabs folks, Nominet folks, etc.) to come up with a secure, trustable, and accountable architecture for doing the signing. If a miracle happens and IANA were to be allowed to sign the root and then was told to give it to someone else, all that would need to be done would be for IANA staff to hand over the HSM, PIN codes and cards to someone else. Of course, part of the architecture is that there is more than one card and that someone other than IANA would hold the second card (i.e., the same sort of thing you see in US missle silos), but that's somewhat irrelevant to a discussion about how the "dysfunctional mess" would have its "authority" revoked.
I suppose one could argue that ICANN could refuse to hand over the HSM, the PIN codes and cards, but given ICANN is a California-incorporated company providing the IANA functions under a contract with the US government, I somehow doubt ICANN would be in any position to refuse. Federal Marshals can be quite persuasive I'm told.
Of course, all of this is academic since since I figure it is highly unlikely IANA will be permitted to sign the root. If anyone, my money is on VeriSign (you remember them...) but it may be some other Beltway Bandit as Paul suggests.
Regards,
-drc
In what way is the EU's governance model the same as, or anything similar,
to the UN's or ITU's? This argument gets increasingly silly. Hell, when did
ITU last let someone randomly take over a chunk of the e164 name space?
in <http://permalink.gmane.org/gmane.linux.redhat.fedora.general/306278>
we see this text:
The DNS attacks are starting!!!
Below is a snippet of a logwatch from last night. Be sure all DNS
servers are updated if at all possible. The spooks are out in full
on this security vulnerability in force.
THIS IS YOUR LAST WARNING...!!!
Patch or Upgrade NOW!
...
this ought to be an interesting weekend.
Paul Vixie wrote:
in <http://permalink.gmane.org/gmane.linux.redhat.fedora.general/306278>
we see this text:The DNS attacks are starting!!!
Below is a snippet of a logwatch from last night. Be sure all DNS
servers are updated if at all possible. The spooks are out in full
on this security vulnerability in force.THIS IS YOUR LAST WARNING...!!!
Patch or Upgrade NOW!...
this ought to be an interesting weekend.
I saw much more than this *from the same address* starting two days ago, and from several other blocks belonging to the same university starting last week, to my home router and another server. So far my better connected servers haven't been hit hard. (and no non-auto answer from "security" at that university...)
-- Pete
I saw this earlier in the week, along with queries for a domain name
which happens to have been registered by Dan Kaminsky, so I emailed him
about it. The addresses in question at Georgia Tech appear to be in use
as part of Doxpara's scan for unpatched systems, which he confirmed.
For those who are bothered, look out for queries from the same netblock
of the form:
rB6CIo_XgRlScY5K0iGISAAAAAAvygwAAAAAACujBAA=.ports.dns-integrity-scan.com/A/IN
It's probably obvious to one and all what they should be for. And the
fact that the queries are denied by correctly configured (ie. non-open)
resolvers makes it even less of a panic.
The sky isn't falling... yet.
Graeme
And for extra points, can anyone with access to the raw un-logwatched
log entries tell us what's rather odd about the queries, given the
current furore over... well, that'd give the answer 
Graeme
Lack of accountability, heavily bureacratic, and dirigiste.
Oh, and generally irrelevant/impotent in the real world of the
streets/net and crime/insurgency/dictatorship.
* Paul Vixie:
in <http://permalink.gmane.org/gmane.linux.redhat.fedora.general/306278>
we see this text:The DNS attacks are starting!!!
Below is a snippet of a logwatch from last night. Be sure all DNS
servers are updated if at all possible. The spooks are out in full
on this security vulnerability in force.THIS IS YOUR LAST WARNING...!!!
Patch or Upgrade NOW!...
this ought to be an interesting weekend.
It's from a Georgia Tech address, so it's likely some sort of monitoring
effort by David Dagon. I see it in my logs, too.