[Pdns-users] coordinated patch

Leen Besselink leen at wirehub.nl
Wed Jul 9 05:47:45 UTC 2008

This sounds pretty scary, it seems to concerns recursors and resolver-libraries. The way to solve it, is to use port randomization, which shouldn't be a big suprise to the PowerDNS-using community.

Massive, Coordinated Patch To the DNS Released [0]

tkrabec alerts us to a CERT advisory announcing a massive [1], multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC [2]). Here is the executive overview (PDF [3]) to the CERT advisory ??? text reproduced at the link above. There's a podcast [4] interview with Dan Kaminsky too. His site has a DNS checker tool [5] on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not immediate reveal the vulnerability and reverse engineering isn't directly possible."

So now the question becomes did anyone inform Bert and/or PowerDNS too ?

I did find in the DOC [2]:

Name: PowerDNS
Status: Not Vulnerable
Date Notified: 2008-05-13 11:35:05
PowerDNS Vendor Statement
Since version 3.0, released in April 2006, the PowerDNS Recursor
resolving nameserver has implemented measures that protect against
the vulnerability described in CVE-2008-1447. Source ports are
randomized, and 'near misses', indicating a spoofing attempt in
progress, are detected, and the query is dropped.

I guess no patching for us (for our DNS-servers atleast) ?

Thank you Bert (and DJB) ! ;-)

[0] http://it.slashdot.org/it/08/07/08/195225.shtml
[1] http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/
[2] http://securosis.com/publications/CERT%20Advisory.doc
[3] http://securosis.com/publications/DNS-Executive-Overview.pdf
[4] http://media.libsyn.com/media/mckeay/nsp-070808-ep111.mp3
[5] http://www.doxpara.com/

New things are always on the horizon.

More information about the Pdns-users mailing list