A Big Day for DNS Security
Dan Kaminsky has done it again.
Kaminsky found a security vulnerability in the design of DNS itself. Yea, let that sink in. The problem was in the DNS protocol, not just certain implementations. That means BIND is affected (of course), Microsoft DNS is affected, and so on. A full list of affected systems is available in the CERT advisory.
Something to note is that BIND 8 is not being patched. If you are running BIND then you should consider upgrading to BIND 9 immediately.
Several systems are not susceptible, including dnscache from djbdns, OpenDNS, and PowerDNS. Kaminsky comments on how Dan Bernstein was years ahead of everyone else with djbdns:
DJB was right. All those years ago, Dan J. Bernstein was right: Source Port Randomization should be standard on every name server in production use.
There is a fantastic quote that guides a lot of the work I do: Luck is the residue of design. Dan Bernstein is a notably lucky programmer, and that’s no accident. The professor lives and breathes systems engineering in a way that my hackish code aspires to one day experience. DJB got “lucky” here — he ended up defending himself against an attack he almost certainly never encountered.
Here is a PDF of the executive overview of the vulnerability.
This is being called the largest coordinated security update in the history of the Internet, and it probably is. Kaminsky coordinated the announcement of the security issue with all the major vendors, allowing everyone to have patches available at the same time and prevent chaos across the Internet.
The Internet is lucky to have Dan Kaminsky looking out for us.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Posted by corywright on July 9th, 2008 under BIND, Security, Server Software, Uncategorized, djbdns.
Comments: none
Write a comment