Proposed “One-Character Patch” for DNS Has Serious Side Effects
Last week a DNS researcher proposed a method to limit the DNS cache poisoning attacks by addition of a single character to the popular BIND name server software.
Robert Lemos of SecurityFocus reports: By changing a ‘<’ to ‘<=’ in a trust check in the Berkeley Internet Name Domain (BIND) server software, the patch would prevent a previously unknown server from poisoning the cache, unless the time to live (TTL)—a limit on the age of a name server entry—had expired. The suggestion, made by computer scientist Gabriel Somlo, would make exploitation of name server caches more difficult. However, the “one-character patch” also has some serious side effects, Dan Kaminsky…”
ORSN Is Shutting Down
Alternate DNS root server, the Open Root Server Network (ORSN) is shutting down. The project which began almost six years ago, is set to close at midnight on the last day of 2008. The following is part of the official statement released for the closure:
“Since start of operation in 2002 ORSN was a political alternative to ICANN/IANA operated root server network. It was also well known for technical innovation by providing IPv6 support before it was introduced in the ICANN/IANA operated root servers.
However during the last months/years the interest of our team shifted and we could no longer fulfil our goal of providing innovation.
Although we realize that at this point in time the discussion about the DNSSEC key possesion should increase the importance of a political alternative, we still couldn’t find enough supporters that were willing to help with technical expertise and work to implement this for ORSN.”
Watching the registrars
Somewhere at the beginning of the 2nd century the poet Juvenal posed the question, “Quis custodiet ipsos custodes?”, which is Latin for “Who will watch the watchers?” Juvenal was actually riffing on Plato’s “Republic” and with a good reason: The question was, and still is, profound because it concerns a basic problem with the machineries of government and governance and, by extension, applies to any authority that has little or no oversight.
In the IT world a great example of a lack of oversight of an authority is the situation that we have with Network Solutions Inc. (NSI). NSI is the domain name registrar that was allowed to have sole control over the .com, .net, and .org top-level domains up until 1999, and for which it gouged the public with the permission and support of the Internet Corporation for Assigned Names and Numbers.
In the last few days, NSI was found to be doing something completely and unequivocally unethical: Holding unregistered domain names hostage and, once again, gouging the public.
Here’s what the furor is all about. Let’s say you were starting a new company and you were going to, oh, I don’t know, say, sell VoIP to retired sailors. You might have an “ah ha” marketing moment and decide that “callmeishmael.com” was the perfect domain name. (I use this name merely as an example because it amuses me; someone currently owns it and wants $2,288 for it. Good luck to them.)
So, with dreams of naming perfection and a subsequent IPO dancing in your head, you might well have gone to Network Solutions and searched the Whois service to see if the name was available. Should you have done so you would have run up against what others discovered: The name you just searched for was available but with a four-day “lock” on it set by Network Solutions. This lock meant that you couldn’t register the domain with a more reasonably priced registry service.
Moreover, should you not have ponied up Network Solutions hugely inflated registration fee — $34.99, about four or five times what most registrars charge — you would have risked losing the name to a domain “taster”, someone who snaps up potentially valuable names the millisecond they emerge from being locked to resell at a profit!
But how would a domain taster know you were trying to register some obscure name? Simple, Network Solutions is happy to tell anyone who cares to look what names visitors searched for: all NSI domain name searches were immediately registered on NSI’s special name servers, easily identified by the domain name reserveddomainname.com!
The process of locking up names, often called “domain name front running,” is generally recognized to be unethical (and possibly illegal in the way that NSI was doing it).
In the last few days Network Solutions has ceased this practice and tried to spin the issue saying that it was “a security measure to protect our customers.” But a) that’s just transparent bull, and b) two important questions remain.
First, how could NSI management condone such obviously unethical and dubious business practices? Perhaps they just can’t help themselves; there’s a long and ugly corporate history of registry service mismanagement, which includes not preventing domain name piracy, frequently making serious administrative mistakes that cost users insane amounts of time and money . . . it goes on and on.
Second, why doesn’t ICANN do something about NSI? Why is it that ICANN is so ridiculously wimpy about reining in the mismanagement and abuse of registry services that NSI seems to indulge in regularly?
Perhaps we need a new version of Juvenal’s question: “Quis custodiet ipsos subcriptio?” . . . “Who will watch the registrars?”
Sex.com Settles Monumental Case Against VeriSign/Network Solutions
Sex.com announced today a final settlement with VeriSign (formerly Network Solutions, Inc.), concluding a six-year legal fight that set several important precedents for the future of the Internet. After the Ninth Circuit Court of Appeals granted Sex.Com a sweeping victory that held VeriSign/Network Solutions, Inc. (collectively “VeriSign”) strictly responsible for mishandling the famous domain name, Sex.Com and VeriSign have settled Sex.Com’s lawsuit against VeriSign.
› Continue reading
DNS Tools
DNS Tools allows you to Ping, Traceroute, or DNS lookup for a domain/IP from your web browser.
DNS Tools also allows you to view information about your own IP address using the My IP tool.
Setup DNS Server Using Bind In Ubuntu
DNS Stands for Domain Name Service.On the Internet, the Domain Name Service (DNS) stores and associates many types of information with domain names; most importantly, it translates domain names (computer hostnames) to IP addresses. It also lists mail exchange servers accepting e-mail for each domain. In providing a worldwide keyword-based redirection service, DNS is an essential component of contemporary Internet use.
› Continue reading
One in Four DNS Servers Still Unpatched for Kaminsky
One in four DNS servers are still vulnerable to the Kaminsky flaw, according an annual survey of DNS servers conducted by network services vendor Infoblox and Internet testing and measurement group, The Measurement Factory.
› Continue reading