[nsp-sec] DNS vulnerability CVE-2008-1447/VU#800113
Florian Weimer
fweimer at bfk.de
Wed Jul 9 08:56:31 EDT 2008
* Gert Doering:
> What would a "major outage" be?
Several large ISPs don't patch in time, and attackers accidentally
nuke entire TLDs on their resolvers.
> Of course I'm a good citizen and have already upgraded our infrastructure
> (and happily discovered that the move "use different products" achieved
> "main recursive resolver is using powerdns, which is not affected") :-)
PowerDNS is not DNSSEC-capable, which will eventually create a
problem. Source port randomization just shifts the statistics a bit,
back to the area in which we are more comfortable. But the protocol
issues still linger in the background.
BTW, I've got a credible report that someone managed to derive the
root cause from publicly available information (without actually
intending to publish, though). It seems rather likely that we see a
comprehensive disclosure before August. 8-/
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the nsp-security
mailing list