Re: [dns-operations] summary of recent vulnerabilities in DNS security.

Colm MacCárthaigh wrote: > > This thread concerns the vulnerabilities uncovered in the fragment > attacks. One of those vulnerabilities is that domains can be rendered > unresolvable; even when DNSSEC is enabled. That seems like something > to take seriously. I am incresingly doubtful that EDNS b

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

Vernon Schryver wrote: > > Have you turned on DNSSEC where you can? If not, why not? Can we have less of the ad hominem please. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Shower

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On 22.10.13 12:50, Tony Finch wrote: Vernon Schryver wrote: Have you turned on DNSSEC where you can? If not, why not? Can we have less of the ad hominem please. I find these questions quite reasonable. When one claims "DNSSEC is difficult", while other claim it is not, then something i

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On Tue, Oct 22, 2013 at 10:48:52AM +0100, Tony Finch wrote a message of 43 lines which said: > Apart from avoiding fragments, are there other ways to mitigate this > attack? If I remember correctly, in her paper, Shulman mentioned possible rules at the registry: limiting the maximum number of

Re: [dns-operations] Ang.: ALERT: .QA CCTLD in wrong hands currently

Not necessarily, but it is the only information I've seen so far. :) Kind regards, Anne-Marie Eklund Löwinder > -Ursprungligt meddelande- > Från: Jim Reid [mailto:j...@rfc1035.com] > Skickat: den 20 oktober 2013 18:20 > Till: Anne-Marie Eklund-Löwinder > Kopia: Kauto Huopio; Florian We

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On Oct 21, 2013, at 14:32, someone wrote: > But who cares who got there first? Every request > I see for credit is recorded in my private accounting as a debit against > the credibility of the person demanding credit, because credit demands > suggest interests which suggest biases and so inaccur

Re: [dns-operations] Ang.: ALERT: .QA CCTLD in wrong hands currently

On Tue, Oct 22, 2013 at 02:18:20PM +0200, Anne-Marie Eklund-Löwinder wrote a message of 64 lines which said: > Not necessarily, but it is the only information I've seen so far. :) With DNSDB and RIPE Atlas probes and all the monitoring systems that run day and night on the Internet, there is

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

> I notice that besides not answering the priority question, you also > did not say where we can read your paper to see whether you mention > DNSSEC only as a coerced afterthought. @*Vernon Schryver * Please read my first post in this thread, you should find all information there. Should the or

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

> From: Daniel Kalchev > >> Have you turned on DNSSEC where you can? If not, why not? > When one claims "DNSSEC is difficult", while other claim it is not, then > something is wrong. Answering questions like there might help find out > where the wrong comes from and eventually fix it. I thin

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

note, i am using as my reference to haya shulman's fragmentation related attack. i found this by googling for "fragmentation considered poisonous" which is the string i used to reference haya's work in my circleid blog post. Haya Shulman wrote: > > --- > >

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

> > Which brings me to the topic of resolver-behind-upstream attacks which were > not commented upon. > As you know, one of the recommendations of experts and Internet operators, > following Kaminsky attack, was `either deploy patches or configure your > resolver to use a secure upstream forwar

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On Tue, Oct 22, 2013 at 6:20 PM, Rubens Kuhl wrote: > > Which brings me to the topic of resolver-behind-upstream attacks which > were not commented upon. > As you know, one of the recommendations of experts and Internet operators, > following Kaminsky attack, was `either deploy patches or configu

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On Tue, Oct 22, 2013 at 6:20 PM, Paul Vixie wrote: > note, i am using as my reference to > haya shulman's fragmentation related attack. i found this by googling for > "fragmentation considered poisonous" which is the string i used to > reference haya's work in

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On 10/22/2013 10:52 AM, Haya Shulman wrote: >> Disclosing such potential vulnerabilities remains valuable work, >> but I think careful consideration needs to be applied to the >> engineering economics of the best operational-world mitigation >> approaches. > > @/Keith Mitchell/ (My head is *r

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On Tuesday, October 22, 2013 18:57:41 Haya Shulman wrote: > > On Tue, Oct 22, 2013 at 6:20 PM, Rubens Kuhl wrote: > > > > Would DNSCrypt, supported by OpenDNS, be a possible mitigation to this issue? > ... > > Would IPSEC between resolver and upstream forward be a possible mitigation to this

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On Tuesday, October 22, 2013 19:47:34 Haya Shulman wrote: > On Tue, Oct 22, 2013 at 6:20 PM, Paul Vixie wrote: > > note, i am using as my reference to > > haya shulman's fragmentation related attack. i found this by googling for > > "fragmentation considered po

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

I am not sure what you mean by `official OARC channels`, I forwarded my communication on this issue, with porttest operators, to you a month or so ago. Maybe these were not official channels, but I have not contacted OARC otherwise, via a different channel. Can you please advise how to contact OARC

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

> From: Haya Shulman > Please read my first post in this thread, you should find all information > there. I see I'm stupid for not seeing that in the first message. I did search for 'http' but somehow didn't see the URL. But why not simply repeat the URL for people like me? Why not the URL of

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On 10/22/2013 02:41 PM, Haya Shulman wrote: >> Yes, but as I explained privately previously, there is no record >> of this correspondence through official OARC channels - I did >> request you re-send, but I don't have a copy of it. > > I am not sure what you mean by `official OARC channels`, I for

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On Mon, Oct 21, 2013 at 1:42 PM, P Vixie wrote: > On Tuesday, October 22, 2013 19:47:34 Haya Shulman wrote: > > On Tue, Oct 22, 2013 at 6:20 PM, Paul Vixie wrote: > > > note, i am using as my reference > to > > > haya shulman's fragmentation related attack. i

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On Oct 22, 2013, at 7:42 AM, Daniel Kalchev wrote: > I for one, do not believe DNSSEC is any difficult. I have turned DNSSEC > wherever I can. It has become easier and easier in the past few years to the > point I would call deploying DNSSEC today trivial. I have therefore changed > my stance

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On 22 Oct 2013, at 20:28, Jared Mauch wrote: >> > > It's difficult because there is not universal support amongst registrars. > Once again the wheel gets stuck when the technical side meets the business > side. It's not entirely "business" that causes the issues .. Registry operators d

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

Haya Shulman wrote: > > > > > so if i add "first weaponized by Haya Shulman" this would > settle the > > > matter? > > > > Thank you, can you please use Amir Herzberg and Haya Shulman (I > > collaborated on this attack together with my phd advisor Amir > Herzberg). > >

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

Jared Mauch wrote: > ... > > Edit a zone file vs "edit, run a script, upload some keys, roll some keys, do > some other magic" is harder than edit a zone file. BIND9 V9.9 may surprise you. it has inline signing and automatic key management. the code name for this feature set was "DNSSEC For Human

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

Em 22/10/2013, às 18:06:000, Michele Neylon - Blacknight escreveu: > > On 22 Oct 2013, at 20:28, Jared Mauch > wrote: >>> >> >> It's difficult because there is not universal support amongst registrars. >> Once again the wheel gets stuck when the technical side meets the business >> side.

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

On 22 Oct 2013, at 22:53, Rubens Kuhl wrote: > .nl and .cz got massive registrar adoption to DNSSEC offering business > incentives, so it seems business side accounts for most of it. So where are the incentives for resolver operators? If they switch on DNSSEC validation and get extra calls to

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

I'm puzzled by the explanation of Socket Overloading in https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf I understand it to say that Linux on a 3 GHz CPU receiving 25,000 packets/second (500 bytes @ 100 Mbit/sec) spends so much time in interrupt code that low level packet bu

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

I am not at liberty to disclose location or vendor, but I'm aware of linux boxes handling 20k PPS mixed UDP/TCP at an average 2% CPU. They aren't even modern boxes although a bit newer than the dual core that Vernon mentions below. In short, I agree completely with everything Vernon said here. I

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

Em 22/10/2013, às 20:40, Jim Reid escreveu: > On 22 Oct 2013, at 22:53, Rubens Kuhl wrote: > >> .nl and .cz got massive registrar adoption to DNSSEC offering business >> incentives, so it seems business side accounts for most of it. > > So where are the incentives for resolver operators? If

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

> From: Jim Reid > So where are the incentives for resolver operators? If they switch > on DNSSEC validation and get extra calls to customer support as a > result, who pays? Why not the same people as before? Who besides farmers and squatters (who don't care about DNSSEC) would object to paying

Re: [dns-operations] summary of recent vulnerabilities in DNS security.

Vernon Schryver wrote: > I'm puzzled by the explanation of Socket Overloading in > https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf > > I understand it to say that Linux on a 3 GHz CPU receiving 25,000 > packets/second (500 bytes @ 100 Mbit/sec) spends so much time in > inte