bert hubert finally blogs: In violation of my own draft-draft RFC!code, musings and moretag:blog.netherlabs.nl,2005:TypoTypo2006-08-10T13:37:34+02:00bert hubertbert.hubert@netherlabs.nlurn:uuid:309d75e5-aacb-484e-b5a0-d102ef6eb8ec2006-05-13T00:08:00+02:002006-08-10T13:37:34+02:00In violation of my own draft-draft RFC!<p>Talk about embarrassing. You may know I’m busy working on a draft-draft RFC (it becomes an ‘Internet-Draft’ once submitted) about making DNS safer through some implementation and operational guidelines (see <a href="http://ds9a.nl/rfc/dns-anti-spoofing.html">dns-anti-spoofing.html</a> and
<a href="http://ds9a.nl/rfc/dns-anti-spoofing.txt">dns-anti-spoofing.txt</a>).</p>
<p>While writing this document, I decided to add a section on the ‘birthday paradox attack’. Reported in 2002, this is a curious mathematical phenomenon that makes spoofing a nameserver vastly easier to do.</p>
<p>So I wrote down the specification:</p>
<pre><code> Given the above, a recursor MUST:
* Use a new random source port from its available
range for each outgoing query
* Make full use of all 16 bits of the ID field
* Assure that its choices of port and ID cannot
be predicted by an attacker having knowledge of
its (pseudo-)random generator
* Take measures to prevent having multiple equivalent
questions outstanding to any authoritative server
</code></pre>
<p>Which is all fine. Except that PowerDNS did not adhere to the bit about equivalent outstanding questions! PowerDNS contains a general system that prevents heaps of identical queries from leaving the server, but that doesn’t translate well into ‘standardese’, you’d get something like ‘recursors MUST have a system that sort of prevents most of the identical queries’.</p>
<p>So, I added ‘query-chaining’ to PowerDNS, which detects this situation and puts an MThread to sleep when it tries to send out a duplicate question. When the answer to the initial question arrives, they all get woken up.</p>
<p>Due to the throttling code already in place, and the source port randomisation, this does not improve our security significantly, but at least I’m now in compliance of my own draft-draft RFC :-)</p>
<p>Code is linked <a href="http://mailman.powerdns.com/pipermail/pdns-users/2006-May/003389.html">here</a>.</p><p>Talk about embarrassing. You may know I’m busy working on a draft-draft RFC (it becomes an ‘Internet-Draft’ once submitted) about making DNS safer through some implementation and operational guidelines (see <a href="http://ds9a.nl/rfc/dns-anti-spoofing.html">dns-anti-spoofing.html</a> and
<a href="http://ds9a.nl/rfc/dns-anti-spoofing.txt">dns-anti-spoofing.txt</a>).</p>
<p>While writing this document, I decided to add a section on the ‘birthday paradox attack’. Reported in 2002, this is a curious mathematical phenomenon that makes spoofing a nameserver vastly easier to do.</p>
<p>So I wrote down the specification:</p>
<pre><code> Given the above, a recursor MUST:
* Use a new random source port from its available
range for each outgoing query
* Make full use of all 16 bits of the ID field
* Assure that its choices of port and ID cannot
be predicted by an attacker having knowledge of
its (pseudo-)random generator
* Take measures to prevent having multiple equivalent
questions outstanding to any authoritative server
</code></pre>
<p>Which is all fine. Except that PowerDNS did not adhere to the bit about equivalent outstanding questions! PowerDNS contains a general system that prevents heaps of identical queries from leaving the server, but that doesn’t translate well into ‘standardese’, you’d get something like ‘recursors MUST have a system that sort of prevents most of the identical queries’.</p>
<p>So, I added ‘query-chaining’ to PowerDNS, which detects this situation and puts an MThread to sleep when it tries to send out a duplicate question. When the answer to the initial question arrives, they all get woken up.</p>
<p>Due to the throttling code already in place, and the source port randomisation, this does not improve our security significantly, but at least I’m now in compliance of my own draft-draft RFC :-)</p>
<p>Code is linked <a href="http://mailman.powerdns.com/pipermail/pdns-users/2006-May/003389.html">here</a>.</p>hydrocodoneurn:uuid:76b57123-64f2-4a4d-bef5-182b4dd93e3f2006-10-08T09:01:30+02:002006-10-08T09:01:30+02:00Comment on In violation of my own draft-draft RFC! by hydrocodoneHello all really cool blog
<a href="http://www.alprazolam-drug-info.com">alprazolam</a> <a href="http://www.fioricet-drug-info.com">fioricet</a> <a href="http://www.hydrocodone-drug-info.com">hydrocodone</a> <a href="http://www.vicodin-drug-info.com">vicodin</a> <a href="http://www.tramadol-drug-info.com">tramadol</a> <a href="http://www.xanax-drug-info.com">xanax</a> <a href="http://www.valium-drug-info.com">valium</a> <a href="http://www.ultram-drug-info.com">ultram</a> <a href="http://www.soma-drug-info.com">soma</a> <a href="http://www.carisoprodol-drug-info.com">carisoprodol</a> <a href="http://www.ambien-drug-info.com">ambien</a> <a href="http://www.ativan-drug-info.com">ativan</a> <a href="http://www.lorazepam-drug-info.com">lorazepam</a> <a href="http://www.propecia-drug-info.com">propecia</a> <a href="http://www.adipex-drug-info.com">adipex</a> <a href="http://www.didrex-drug-info.com">didrex</a> <a href="http://www.cialis-drug-info.com">cialis</a> <a href="http://www.levitra-drug-info.com">levitra</a> <a href="http://www.paxil-drug-info.com">paxil</a> <a href="http://www.meridia-drug-info.com">meridia</a> <a href="http://www.viagra-drug-info.com">viagra</a> <a href="http://www.wellbutrin-drug-info.com">wellbutrin</a> <a href="http://www.clonazepam-drug-info.com">clonazepam</a> <a href="http://www.xenical-drug-info.com">xenical</a> <a href="http://www.prozac-drug-info.com">prozac</a> <a href="http://www.butalbital-drug-info.com">butalbital</a> <a href="http://www.phentermine-drug-info.com">phentermine</a>
<a href="http://www.buy-ativan-online-rx.com">buy ativan</a> <a href="http://www.buy-adipex-online-rx.com">buy adipex</a> <a href="http://www.buy-didrex-online-rx.com">buy didrex</a> <a href="http://www.buy-levitra-online-rx.com">buy levitra</a> <a href="http://www.buy-cialis-online-rx.com">buy cialis</a> <a href="http://www.buy-phentermine-online-rx.com">buy phentermine</a> <a href="http://www.buy-soma-online-rx.com">buy soma</a> <a href="http://www.buy-tramadol-online-rx.com">buy tramadol</a> <a href="http://www.buy-diazepam-online-rx.com">buy diazepam</a> <a href="http://www.buy-carisoprodol-online-rx.com">buy carisoprodol</a> <a href="http://www.buy-meridia-online-rx.com">buy meridia</a> <a href="http://www.buy-paxil-online-rx.com">buy paxil</a> <a href="http://www.buy-valium-online-rx.com">buy valium</a> <a href="http://www.buy-xanax-online-rx.com">buy xanax</a> <a href="http://www.buy-ultram-online-rx.com">buy ultram</a> <a href="http://www.buy-fioricet-online-rx.com">buy fioricet</a> <a href="http://www.usa-tooth-whitening.com">tooth whitening</a> <a href="http://www.getpharmacyonline.com">online pharmacy</a> <a href="http://www.alprazolam-rx.com/alprazolam.html">alprazolam</a> <a href="http://www.car-insurance-tonight.com">car insurance</a> <a href="http://www.payday-loan-tonight.com">payday loan</a> <a href="http://www.newweb-directory.com">web directory</a> <a href="http://www.newbusiness-directory.com">business directory</a> <a href="http://www.carisoprodol.happyhost.org">carisoprodol</a> <a href="http://www.cheap-hydrocodone.com">hydrocodone</a> <a href="http://www.buy-vicodin-online-rx.com">buy vicodin</a>