Hacker News new | past | comments | ask | show | jobs | submit login

If the server randomizes both the Query-ID and source port, the attacker has less than 1/100000000 chance of sending a valid reply: http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html#fi...

An attacker can send more than one packet, and likely make multiple attempts to 'verify' the domain under attack. If the attack window is 1 second, and an attacker can source 1 million (spoofed) packets per second, and the server is using the full space for source port and query ids, and there's a single resolver, the attacker can get a cert fraudulently issued about 1 out of 4000 times.

DNSSEC makes that much harder, so it's nice that their resolvers are using it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact