2.3.2012: The recurring urban legend about Dan Kaminsky

No, no, it happened again: After Peter Koch from DENIC [1] gave his tutorial about DNSSEC [2] last week at the DFN Security Workshop [3] Matthijs Mekking from NLnetLabs again based the need for DNSSEC on the vulnerabilities Dan Kaminksy [4] has reported (uups, link is broken) on the BlackHat conference in 2008 [5] while introducing OpenDNSSEC [6] at the GUUG's Frühjahrsfachgespräch in Munich [7]:

This is simply an urban legend.

Let's try to work it out, though it is difficult, since a lot traces have been wiped out from the Internet. A very good explanation about DNS and it's potential problems is given by [8], leaving the claim aside, this discovery was due to Dan Kaminsky. However, we have to distinguish between (1) the shortages of the DNS protocol and (2) the failures implementing the standard in a safe way.

The most profound analysis I found was published March 2003 on Security Focus [9] discussing not only the weaknesses of the protocol, but also providing some analysis of Paul Vixie's Bind 8, Bind 9 [10] and Dan Bernstein's djbdns 1.05 [11]. I posted the link of the source to www.tinydns.org [12] in 2003, but since the article was removed from their site, it also disappeared here.

Actually, the first (public available) analysis of the weaknesses of the DNS protocol was done by Christoph Schuba in 1993 for his Master Thesis [13]. In particular, chapter 3 shows already at that early stage, the principal problems of the DNS. In the year 2002 Dan Bernstein published version 1.05 of djbdns [11] avoiding many of the design failures of Bind, in particular the use of a fixed port (53) for DNS Queries and the disastrous coupling of an Authoritative Name Server with a Name Resolver. While I did some research for the DNS chapter in my book 'Technik der IP Netze' [14] in 2006, some DDos attacks happened against the DNS root servers [14] and the situation regarding Bind became so bad, that the ICANN raised the warning: 'Bind is not suitable for root servers'. Of course, this information is extinguished from the Web.

Probably around 2004 Kaminsky joined the club and investigated DNS issues. His talk on the Blackhat 2008 conference became legendary, though I currently have no source to provide to the reader (maybe some youtube videos do exist).

Ironically, Kaminsky's (confuse) talk triggered the Vulnerability Note VU#800113 [15] which is additionally apparent at Security Focus [16] -- currently owned by Symantec.

As a nick of time, I need to mention, that Dan Kaminsky now holds one of the 'seven' DNSSEC root keys as 'crypto officer' [17].


PS: The famous Kaminsky Blackhat 2008 video has been added [18].


[1] www.denic.de/en/homepage.html
[2] en.wikipedia.org/wiki/Dnssec
[3] www.dfn-cert.de/veranstaltungen/workshop.html
[4] dankaminsky.com/DMK_BO2K8.ppt
[5] Blackhat_Kaminsky.png
[6] www.guug.de/veranstaltungen/ffg2012/abstracts.html#4_1_2
[7] www.guug.de/veranstaltungen/ffg2012/
[8] www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
[9] cachepoisoning.pdf
[10] www.isc.org/software/bind
[11] cr.yp.to/djbdns.html
[12] www.tinydns.org
[13] ftp.cerias.purdue.edu/pub/doc/network/schuba-DNS-msthesis.ps.Z
[14] www.icann.org/committees/security/dns-ddos-advisory-31mar06.pdf
[15] www.kb.cert.org/vuls/id/800113
[16] www.securityfocus.com/bid/30131/info
[17] www.schneier.com/blog/archives/2010/07/dnssec_root_key.html
[18] media.blackhat.com/bh-usa-08/video/bh-us-08-Kaminsky/black-hat-usa-08-kaminsky-blackops08-hires.m4v