OL.foo LI { margin-bottom:1ex;} UL.foo LI { margin-bottom:1ex;} Note: you can skip ahead to BIND fixes.

---

Recently the hosting company ISPrime became the victim of a DNS-based DDoS attack using spoofed source addresses.

Great news everyone! Matt Larson and Cricket Liu are resurrecting their Ask Mr. DNS advice column as a podcast:

Sadly, after Acme’s acquisition by VeriSign in 2000, Mr. DNS began the downward spiral into dissolution and iniquity so familiar to those in the public eye. When Matt and Cricket tracked Mr.

A number of years ago I did some simulations and measurements to show how different DNS resolvers distribute their queries to a set of authoritative servers (see PAM 2004 paper and NANOG29 presentation). At that time I tested BIND, Windows, DJBDNS, and CNS. Recently someone asked if I know the behavior for PowerDNS.

While working on the TLDmon plugins a couple of weeks ago, I noticed that a certain query to b.iana-servers.net was consistenly failing:

$ dig +bufsiz=2048 @b.iana-servers.net XN--9T4B11YI5A RRSIG

; >> DiG 9.3.5-P2 >> +bufsiz=2048 @b.iana-servers.n

In his Who Protects The Internet? article, Matt Rutherford mentions something near and dear to us as an example of hackers, er, citizens protecting the Internet:

Just look at Dan Kaminsky, a computer consultant who discovered a fundamental flaw in DNS, allowing him control over any website online. This flaw was astounding in what it gave access to – yet Dan Kaminsky didn’t turn to a government agency or organization, or abuse the hack himself.

On October 9, 2008, the U.S. National Telecommunications and Information Administration solicited public comments on the deployment of DNSSEC. Yesterday was the deadline for submission and today all of the comments have been published. Looks like slightly over 53 comments (of varying coherence) were received.

Eric Osterweil gave an interesting talk at the NANOG44 DNSSEC BOF. His data (shown below) from SecSpider indicates a significant increase in signed zones right around the time that CERT VU #800113 was released:

Last week David Conrad of ICANN asked if I could make DSC show the EDNS buffer sizes advertized by clients. This is now available in DSC versions dated after 2008-08-22.

Date: Mon, 4 Aug 2008 18:22:46 -0400 From: Robert Edmonds To: dns-operations Subject: [dns-operations] release of ISC SIE cache poisoning attempt detection tool hi, ISC SIE has developed a tool for detecting cache poisoning attempts. it consists of two parts: ncaptool, the part which performs packet gathering, reassembly, and dns filtering; and mod_urstate, a message processing module which attempts to statefully detect unsolicited responses that may be indicative of cache poisoning attempts.

This page provides information relating to CERT VU #800113. Please write to Admin if you have corrections or additions.

Timeline of Events

?, 2008

Dan Kaminsky stumbles upon a serious problem in the DNS protocol that makes poisoning easier than most everyone previously thought.

March 31, 2008

DNS Summit at Microsoft's offices to discuss the problem and solutions.