IETF: Should We Ignore the Kaminsky Bug?
Nov 21, 2008, 17:33 (0 Talkback[s])
"In July, security researcher Dan Kaminsky discovered a DNS bug
that allows for cache poisoning attacks, where a hacker redirects
traffic from a legitimate Web site to a fake one without the user
knowing. With DNSSEC, the IETF already has a solution to the
Kaminsky problem and other known DNS vulnerabilities. However,
DNSSEC hasn't been widely deployed, although it has been under
development for more than a decade.
"DNSSEC prevents hackers from hijacking Web traffic and
redirecting it to bogus sites. The Internet standard prevents
spoofing attacks by allowing Web sites to verify their domain names
and corresponding IP addresses using digital signatures and
"The problem is that DNSSEC prevents Kaminsky attacks only when
it is fully deployed across the Internet -- from the DNS root zone
at the top of the DNS heirarchy down to individual top-level
domains, such as .com and .net. Until then, Web sites remain
vulnerable to Kaminsky-style attacks."