[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ga-full] Re: [aso-policy] RE: [aso-comment] IP address holders - are they represented?

To: ks_lim@logchina.com.sg
Subject: [ga-full] Re: [aso-policy] RE: [aso-comment] IP address holders - are they represented?
From: "David R. Conrad" <David.Conrad@nominum.com>
Date: Wed, 15 Mar 2000 08:24:27 -0800
Cc: "!Dr. Joe Baptista" <baptista@pccf.net>, Michael Sondow <msondow@iciiu.org>, "David R. Conrad" <David.Conrad@nominum.com>, mike.norris@heanet.ie, aso-policy@lists.aso.icann.org, aso-comment@lists.aso.icann.org, list@ifwp.org, ga@dnso.org
Organization: Nominum, Inc.
References: <Pine.LNX.4.20.0003150442040.12877-100000@proxy.pccf.net> <38CF4C7D.1AD2@logchina.com.sg>
Sender: owner-ga-full@dnso.org

Sigh.  

> > You don't get it - do you.  Let me try to clarify the state of BIND for
> > you.  ALL VERSIONS OF BIND UNDER VIXIE CAN BE HACKED.  

The DNS protocol suite, as specified in RFC 1034 and 1035 has a bug: the
sequence space of DNS queries is only 16 bits, thus it is possible to spoof a
response and insert badness as a response to a query.  As the DNS is (usually)
based on UDP, you don't even need to be on the local network to do it.

This is a known failure of the protocol and is remedied with DNSSEC (RFC
2535), which will be fully implemented in BINDv9 (there is a partial
implementation in BIND 8.2.2-P5 that may be useful to experiment with).  There
may also be other steps that can be taken to limit the vulnerability to
spoofing that are currently being discussed in the context of the root
nameserver operations draft, see the DNSOPS working group in the IETF if
interested.

Earlier versions of BIND (in particular BIND version 4) were very trusting --
it was (is, as many people are still running these early versions) easy to
spoof the server and insert badness.  In fact, this is what Eugene Kashpureff
did that resulted in him getting into a bit of trouble with the FBI.

The end result is that BIND, like all RFC conformant DNS implementations, can
be "hacked" in this way and one should be careful in trusting the response you
get from the DNS.  In particular, you should make sure the sites you're
opening SSL connections to have the correct certificates.  

There are a couple of other bugs in the latest version of BIND that we are
aware of that can result in denial of service attacks and as a result, we're
releasing BIND 8.2.3 (currently in alpha test, if you'd like to participate in
the alpha please contact me).  We are unaware of any other vulnerabilities in
BIND.

Baptista has not, to my knowledge, _ever_ notified ISC of any specific
vulnerability or exploit.  For that matter, the only thing I know of off hand
that Baptista has done with respect to the DNS (other than disrupt DNSO
related mailing lists) has been to announce a survey of BIND versions on the
Internet (unfortunately implying the survey was done with the ISC).

Also, a point about the "ownership" of BIND.  BIND was originally written
around 1985 at the University of California at Berkeley as a DARPA funded
graduate student project by Douglas Terry, Mark Painter, David Riggle and
Songnian Zhou.  Around 1988 or so, Paul Vixie made some modifications to BIND
and started distributing those modification as patches.  Soon after, people
started sending their patches to Paul for incorporation into Paul's patch
distribution.  As a result, Paul got tagged with "maintainer of BIND" and
proceded to make full releases from BIND 4.9.1 onwards.

Today, BIND is maintained by the Internet Software Consortium and Paul acts as
the release engineer -- he merges in patches created by other people, kits up
a release, and announces it.  He doesn't actually do any significant
development any more.  BIND version 8 continues to very much be a community
developed "open source" package with all that implies.  No one, least of all
the folks who work on BIND version 8, would claim it is the epitome of good
software design -- it is more a case study in software evolution (or, if you
prefer, cancerous growth).  This is one of the reasons ISC decided on doing a
full rewrite of BIND for version 9 (currently in beta test, contact me if
you'd like to participate).

In any event, claims, accusations, and comments from individuals like Baptista
should be taken with an understanding of his past behavior (and court
judgements).  I personally consider it a waste of time even reading mail from
him (which is why I filter him directly to the trash).

Rgds,
-drc
--
This message was passed to you via the ga-full@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga-full" in the body of the message).
Archives at http://www.dnso.org/archives.html

References:
- [ga-full] Re: [aso-policy] RE: [aso-comment] IP address holders - are they represented?
  - From: "!Dr. Joe Baptista" <baptista@pccf.net>
- [ga-full] Re: [aso-policy] RE: [aso-comment] IP address holders - are they represented?
  - From: KS LIM <ks_lim@logchina.com.sg>

Prev by Date: [ga-full] Re: [aso-policy] RE: [aso-comment] IP address holders - are they represented?
Next by Date: [ga-full] Re: [aso-policy] RE: [aso-comment] IP address holders - are they represented?
Prev by thread: [ga-full] Re: [aso-policy] RE: [aso-comment] IP address holders - are they represented?
Next by thread: [ga-full] Re: [aso-policy] RE: [aso-comment] IP address holders - are they represented?
Index(es):
- Date
- Thread