North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?
> > > 11 seconds. > > > > > > and at&t refuses to patch. > > > > > > and all iphones use those name servers. > > > > Has at&t told you they are refusing to patch? Or are you just spreading > > FUD about at&t and don't actually have any information about their plans? > > I believe it is a hypothetical situation being presented... so, noone else has had multiple copies of the following fwd'd to them with the heading, "WTF,O?" note that it's full of factual errors but does seem to represent AT&T's position on CERT VU# 800113. that someone inside AT&T just assumed that this was the same problem as described in CERT VU#252735 and didn't bother to call CERT, or kaminsky, or me, to verify, ASTOUNDS me. (if someone from AT&T's DNS division has time to chat, my phone numbers are in `whois -h whois.arin.net pv15-arin`.) --- "AT&T Response: US-CERT DNS Security Alert- announced July 8, 2008 On July 8, 2008, US-CERT issued a Technical Cyber Security Alert TA08-190B with the title 'Multiple DNS implementations vulnerable to cache poisoning.' This alert describes how deficiencies in the DNS protocol and common DNS implementations facilitate DNS Cache poisoning attacks. This vulnerability only affects caching DNS servers, not authoritative DNS servers. This alert instructed administrators to contact their vendors for patches. The DNS community has been aware of this vulnerability for some time. CERT technical bulletin http://www.kb.cert.org/vuls/id/252735 issued in July, 2007, identified this vulnerability but at the time no patches were available from vendors. AT&T does not disclose the name of its DNS vendors as a security measure but has implemented a preliminary patch that was available in January, 2008. The latest patch for alert TA08-190B is currently being tested and will be deployed in the network as soon as its quality has been assured. AT&T employs best practices in the management of its DNS infrastructure. For example, the majority of AT&T's caching DNS infrastructures have load balancers. Load balancers decrease the risk significantly because hackers are unable to target specific DNS servers. As with all patches to software affecting AT&T's production networks and infrastructure, AT&T first tests the patches in the lab to ensure they work as expected and then certifies them before deploying them into our production infrastructure. Conclusion: Security is of paramount importance to AT&T. AT&T has a comprehensive approach to the security of its networks and supporting infrastructures. AT&T is meeting or exceeding our world-class DNS network performance measures. We will continue to monitor the situation and will deploy software upgrades, as warranted, following our structured testing and certification process." === -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.