Slashdot Log In
Another DNS Flaw Found, Patched
Posted by
Soulskill
on Fri Jan 09, 2009 07:11 PM
from the come-and-gone dept.
from the come-and-gone dept.
darthcamaro writes "Remember the big DNS flaw that Dan Kaminsky 'discovered' last year? Well, it looks like another flaw in DNS has just been patched. This time it's an item that affects DNSSEC, which was supposed to be the savior for the Kaminsky flaw. The good news, though, is that this time, the issue is relatively minor and DNS has already been patched. 'The flaw is specific to certain usages of DNSSEC,' Joao Damas, senior programming manager of the ISC told InternetNews. 'It is strongly advised that all BIND DNSSEC deployments update in case they are using the particular pattern affected (DSA keys in some cases) and to prevent coming across the problem in the future unexpectedly.'"
Related Stories
[+]
IT: Massive, Coordinated Patch To the DNS Released 315 comments
tkrabec alerts us to a CERT advisory announcing a massive, multi-vendor DNS patch released today. Early this year, researcher Dan Kaminsky discovered a basic flaw in the DNS that could allow attackers easily to compromise any name server; it also affects clients. Kaminsky has been working in secret with a large group of vendors on a coordinated patch. Eighty-one vendors are listed in the CERT advisory (DOC). Here is the executive overview (PDF) to the CERT advisory — text reproduced at the link above. There's a podcast interview with Dan Kaminsky too. His site has a DNS checker tool on the top page. "The issue is extremely serious, and all name servers should be patched as soon as possible. Updates are also being released for a variety of other platforms since this is a problem with the DNS protocol itself, not a specific implementation. The good news is this is a really strange situation where the fix does not [immediately] reveal the vulnerability and reverse engineering isn't directly possible."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
any relation to the Ubuntu update? (Score:3)
Is this somehow related to the bind DNS updates for ubuntu desktop that got pushed yesterday?
Re: (Score:3, Informative)
Your home ubuntu machine or windows machine won't be effected directly by this.
Re: (Score:2)
Only if you're using BIND and DNSSEC (Score:3, Informative)
Otherwise not a problem.
Re: (Score:1, Offtopic)
Re: (Score:1)
I no longer do proprietaryware, so this isn't from personal experience. Point one is second hand and point two is based on the docs. Be kind to me mods, I did turn the karma bonus off and I am being transparent on the authority level.
1) Doesn't "Pro" at least come with a DNS server of some sort? I was under the impression... or maybe you don't trust it (you won't get any argument from me there, altho 2K was still respectable as it didn't yet have the eXPrivacy thing that was what ultimately gave me the f
Re: (Score:1)
Win2K Pro doesn't come with any DNS, and trying to compile using GCC on Win2K Pro is about as fun as getting hit in the nuts repeatedly with a ball peen hammer. Linux and Windows just don't play nice with each other, at least not for me. And all my gear doesn't work in Linux. The board has funky proprietary chips, the all in one printer won't even print, and the router won't talk to anything but IE for configuration. So switching to Linux is pretty much out. I need something I can fire up and walk away from
Re: (Score:2)
> And all my gear doesn't work in Linux.
Been there. =:^(
Luckily, about time W98 (which I was in line for at midnight, after running the IE4 betas and installing IE4 with desktop enhancements on W95) came out, I started playing around with Linux, and soon began to require that any hardware I bought was Linux compatible, so by the time MS gave me that final shove when they decided eXPrivacy was going to require authentication, I had been buying all Linux compatible hardware for a couple years and was fine
Re: (Score:2)
Sigh.....that must really be nice to be able to do that. In the past 5 years I have spent exactly $0.00 for my PC gear. With a paraplegic sister and a half blind mom who had to quit working to take care of sis I just don't have it. Every dime that I make at the shop ends up going to them or my boys. So I have adapted and became a "scrap rat" to keep myself in gear.
A customer will come in and say "I hate this thing, it is too slow! Can you get my stuff off and get me a faster one?" or "This thing is broken!
Re: (Score:1)
Well... if you look at my posting history, you'll note that I learned the hard way to actively prioritize things in my life, and then actively go after what I have prioritized.
In a way, you're lucky, in that you have family you value highly enough to make that sacrifice for. You mention both upstream and downstream family. I don't have any downstream family. I do have upstream, but while I love 'em, let's just say we get along better if there's a bit of distance between us. So I have no family to spend
Re: (Score:2)
My computer is 8 years old AMD 1.4ghz - and yes, when I bought it, I checked the compatibility.
It would be interesting if you posted the actual hardware you are having issues with.
The problems may have been resolved.
An out of the box linux has far better HW compatibility these days than Windows.
The windows advantage is the manufacturers actually make sure the equipment has the drivers when they sell it to you.
If you build on your own, which, if you are as poor as you say, you should, you can trivially ensur
Re: (Score:2)
I guess you didn't really read my post. i don't actually BUY hardly anything. I swap the machine off of a customer and then scavenge the pieces I need. So there isn't any "shopping for compatibility" there. As for the gear, well besides the Windows programs I use for work, There is an HP Pavilion with a funky as hell audio chipset(not realtek, that would be easy. Maybe an old Ali? I've not busted it open in awhile) along with a Trendnet router that only works with IE for configuration and a Lexmark x1270 al
QEMU + more modern OS (Score:2)
qemu.exe -hda debian.qcow -redir udp:53::53 -snapshot -vnc 3
then you can run whatever DNS server you like (not necessarily Linux - Plan 9's DNS server doesn't suffer the sequence number guessing problem). Use snapshot once it's set up so that you can just switch off without worrying about syncing its fs, (or use the console to apply fs changes while in snapshot mode). Or use samba to attach to the Host FS and use that, or use AOE (though I've only tried that the other way round with Linux as the host).
Ironi
Re: (Score:2)
Re: (Score:2)
Good luck!
Re: (Score:2)
Re: (Score:2)
I'm happy not knowing exactly how my car runs and most users are happy not knowing exactly how their operating system runs.
Unless you know everything about absolutely everything in your life, you have no room to talk about people not knowing how their computers work.
Re: (Score:3, Insightful)
Many, if not most people here take apart stuff and find out how it works for fun. Why, just this weekend, I'll replace a radiator in my wife's van for a fourth of what the repair shop would charge, then later I might compile a new kernel or something. When I'm done, I'm probably gonna treat that old lawn mower to a new magneto, and then later, restart work on my control program for my radio scanner.
Re: (Score:2)
You don't know how a car works? And are happy about it! Perhaps you should stick to MacRumours not /.
Re: (Score:2)
Well most of the time when there are updates the changelog doesn't actually display any text and reads "unable to download changelog". Also, it was just a fucking question!
Figures, BSD trolls strike again..
Re: (Score:2)
Wrong. Updates in distro releases are usually security updates, which should be applied by everyone.
Re: (Score:2)
I guess that OpenBSD doesn't have a decent package manager... Most package managers can figure out what packages are installed on a user's system, then only notify the user about updates to those installed packages. But, I suppose that *everything* is harder over in OpenBSD land.
Re: (Score:2)
Nope, they guy tries to *sound* elitist but isn't. OpenBSD uses Ports which was a package manager long before Ubuntu was on the scene.
I'm an elitist OpenBSD administrator too. I try to give us a bad name but usually with elitism not idiocy.
Re: (Score:2)
*grins* I was baiting the guy. I know about Ports. Gentoo's Portage was designed in its image. :D
subject (Score:5, Funny)
This is bad for all those who use DNSSEC. Both of them must be annoyed at the need to their software.
Re: (Score:1, Funny)
I think he just accidentally the whole DNSSEC.
Re: (Score:2)
Are we actually supposed to trust these people? (Score:4, Interesting)
I don't have anything to add to my subject.
A: Because it breaks the flow of a message (Score:1)
Re: (Score:2)
DNS-and-BIND (461968) wrote:
Q: Why is starting a comment in the Subject: line annoying?
Did someone already hack you before you got this patch installed?
Yeah, um... (Score:5, Informative)
That's not a "DNS flaw".
It's an OpenSSL bug that turned out to affect BIND.
Re: (Score:2, Funny)
Since the Windows resolver can connect to BIND, and Microsoft didn't release a patch, a well-written Slashdot summary should have read
Re:Yeah, um... (Score:5, Informative)
It's an OpenSSL bug that turned out to affect BIND.
No, it's a misuse of an OpenSSL API from within BIND, so the error is on BIND's side. It's of extremely low impact, though.
Parent
Re: (Score:3)
Exactly. I was just on the ISC site checking out something else (someone was asking about DNS for MS W2K and I was checking on that), and they said return codes for openSSL function calls weren't being checked in a few places so a verify failure may not have been properly caught. The released patch and downstream updates fix that.
time to dump BIND (Score:2, Informative)
Re: (Score:2)
Make that PowerDNS, and I agree. BIND is a flaming sack of dog shit, and the conflation of DNS with BIND in many people's minds drives me nuts.
Re: (Score:2, Interesting)
Personally, I use ldapdns [nimh.org], which used to be based on the djbdns code and continues to adopt some ideas from djbdns, The nice thing about ldapdns, though, is that the database store is entirely in LDAP. You change it in LDAP and the changes in the DNS server are instantaneous.
I would consider PowerDNS as well, but ldapdns is also very small, fast and lightweight and it scales well. I don't get the feeling that PowerDNS is so lightweight.
Re: (Score:3, Informative)
PowerDNS is actually quite light. They had the good sense to split it into a caching nameserver and a recursing resolver, making two lightweight daemons, rather than a single "does everything" process.
It's also nice because it can suck in BIND zone files if you're stuck with them and don't want to migrate. Good commercial support is also available. The code itself is GPL.
Re: (Score:2)
It doesn't make sense to drop BIND in favor of djbdns just because of this. djbdns doesn't even try to do DNSSEC. The bug in BIND is not a direct attack on the DNS server, it just means that DNSSEC validation doesn't always work right. By switching from BIND to djbdns, you are completely breaking DNSSEC validation. In different terms, the worst consequence of this bug was that it sometimes made BIND act like djbdns.
DNS Flaw? (Score:5, Insightful)
"DNS Flaw"? Can we shoot for a bit more accuracy here on Slashdot, since we're all technical enough to understand the details? It's a flaw that affects BIND. And BIND != DNS. I shouldn't have to point that out...
Why the sarcasm? (Score:1)
> Remember the big DNS flaw that Dan Kaminsky 'discovered' last year?
Why emphasize "discovered" in sarcastic quote marks? Did he NOT discover it? Was it someone else?