mailing list archives
Re DNS spoofing issue discussion
From: Mary and Glenn Everhart <Everhart () gce com>
Date: Thu, 31 Jul 2008 20:29:13 -0400
To: Valdis.Kletnieks () vt edu
Subject: RE: [Full-disclosure] DNS spoofing issue. Thoughts on
I chose my wording to cover not only DNSSEC but possible alternatives
that could be devised. Certs are not the only way to do it, but it
needs to be installed all over.
The BGP fixes were devised after the last meltdown, but question again
is whether they are installed. If DNSSEC had been installed, Kaminsky's
would not exist.
Since the number of sites running BGP among themselves is not that huge,
it is probably not as practical an attack vector. Last meltdown that
happened was said to be solved largely because most of the BGP site
knew each other well enough to recognize voices on the phone. Net's bigger
The fact that the recent youtube route hijack and the kenya routing
incidents happened suggests that the md5 security is not in fact in
(needs predefined secrets installed and apparently people don't configure it
to do anything). That being the case, a reminder that maybe it could be
reexamine this seems not totally daft.
Everhart () gce com
(posting from home; I am the same one who has posted from work also.)
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
Sent: Wednesday, July 30, 2008 11:30 AM
To: Everhart, Glenn (Card Services)
Cc: pschmehl_lists_nada () tx rr com; randallm () fidmail com;
full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] DNS spoofing issue. Thoughts on
On Sun, 27 Jul 2008 14:07:03 EDT, Glenn.Everhart () c<censored>h.a.sx.com said:
The need for something more like ssl certs in there remains
It's called DNSSEC, which has been out for a decade and more.
(Also needed for bgp I suspect).
RFC2385 (TCP MD5 protection for BGP) addresses most of the issues, at least
on a peer-to-peer basis, and has been out for a decade. There's a
of the issues in RFC5123.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Re DNS spoofing issue discussion Mary and Glenn Everhart (Aug 01)