wessels's blog

DSC now reports EDNS buffer sizes

Last week David Conrad of ICANN asked if I could make DSC show the EDNS buffer sizes advertized by clients. This is now available in DSC versions dated after 2008-08-22. Furthermore, the new version is running on the F-root collector nodes.

The breakdown of buffer sizes looked different than I remembered for recent DITL data, so I generated some graphs for the 2006 through 2008 DITL data (F-root nodes) using the same size ranges.

January 2006

January 2007

March 2008

August 2008

The trend is good news. Back in Jan 2007, 50% of queries did not indicate any EDNS support. 20% had bufsiz=2048, and 30% had bufsiz=4096. Now we have about 65% of queries with bufsiz=4096, while 35% still don't support EDNS.


Submitted by wessels on Mon, 2008-08-25 20:17

CERT VU#800113 DNS Cache Poisoning Issue

CERT and numerous vendors are making a major announcement today regarding a DNS protocol vulnerability that may enable cache poisoning of recursive resolvers. From the CERT page:

Recent additional research into [DNS defects and deficiencies] and methods of combining them to conduct improved cache poisoning attacks have yielded extremely effective exploitation techniques. Caching DNS resolvers are primarily at risk--both those that are open (a DNS resolver is open if it provides recursive name resolution for clients outside of its administrative domain), and those that are not. These caching resolvers are the most common target for attackers; however, stub resolvers are also at risk.

We can expect patches from most vendors that will implement randomization of query source ports. According to ISC, source port randomization only increases the difficulty of the attack, but does not entirely prevent it. The best prevention, they say, is to implement DNSSEC.

Here are some vendor announcements:

The vulnerability was discovered by Dan Kaminsky of IOActive.

Submitted by wessels on Tue, 2008-07-08 18:47

IANA and ICANN domains hacked

Within a day of ICANN's gTLD announcement, ZDNet reports that a Turkish hacking group has hijacked domain names belonging to IANA and ICANN. Interestingly, only thier "alternative" names were hijacked. For example, ICANN.COM and ICANN.NET were, but ICANN.ORG was not. Similarly, IANA.COM was, but IANA.ORG was not. The same group is apparently responsible for other recent high profile domain hijinks as well.

One thing all of the hijacked names have in common is their registrar, Register.com, which was apparently able to fix the problem within about 20 minutes. Let's hope the parties involved are up-front enough to explain what happened.

See also Zone-H, Circle-ID, and dnssec-deployment.


Submitted by wessels on Sun, 2008-06-29 20:38

ICANN announces significant change to TLD creation policy

Yesterday, during their meeting in Paris, ICANN announced a change in their policy for adding new generic TLDs to the DNS. Although this change has been planned for a while, I think it caught quite a few of us off guard.

Many details are not available at this time, but it sounds like a new gTLD will cost on the order of $100,000 and we won't be seeing many new ones for another year or so.

Some interesting discussions are taking place on the NANOG and dnssec-deployment mailing lists and Circle-ID has some good, articles as well.


Submitted by wessels on Fri, 2008-06-27 17:09