Hacker News new | past | comments | ask | show | jobs | submit login
DNS Drama Exposed (Dramatically) (wired.com)
62 points by olefoo on Nov 26, 2008 | hide | past | web | favorite | 25 comments

The article is a lot more fun if you read it to yourself in the movie trailer guy voice.

"In a WORLD where ONE MAN holds the KEY to the entire INTERNET!"

Don LaFontaine, recently deceased.


I realize this wired, but did they really have to dramatize it so much?. I mean, come on, talking about the possibility of routing the entire .com domain through his laptop? It sounded like something that Robert Ludlum would write.

They also portray Kaminsky as a pathetic nobody working out of his lonely apartment, when in reality he was already well respected before the DNS flaw discovery.

The device of having a despised outsider turn out to be a hero is extremely common not just in sci-fi but in heroic tales generally.

What were the odds I'd get to say that twice in one day?

> What were the odds I'd get to say that twice in one day?

Just don't say it a third time, lest you create an unkillable meme...

The device of having a despised phrase turn out to be an unkillable meme is extremely common not just in sci-fi but in heroic tales generally.

With my special training program, anyone can turn 100 despised phrases into unkillable memes, not just in Hacker News but in social sites generally.

> It sounded like something that Robert Ludlum would write.

Or John Markoff?

Indeed. The title should have appended: "...dramatically."

If the information in an email were accidentally copied onto a hard drive, that hard drive would have to be completely erased, Vixie said.

Ridiculous. I doubt Vixie said that.

I heartily recommend the author's previous work in Wired, "High Tech Cowboys of the Deep Sea." A bit lower on the drama dial, still quite interesting:


Lower on the drama? People get killed in that story, with the reporter present! I remember that story very well. Made an impression on me. more exciting than DNS flaws...

I think this is a terrible article. Paul Vixie has done nothing to fix this situation. He certainly does not deserve the fame of the article.

Other DNS servers like DJB-DNS and PowerDNS have implemented proper port randomization as part of their design a LONG time ago. As a result of that those servers are completely unaffected by this DNS exploit.

Vixie and his Bind crew ignored the whole thing for a long time until it blew up in their face. Now it it just an excuse to roll out the monster that is called DNSSEC of course. Great marketing.

Well, I'm no expert but it sounds like source port randomization is a bandaid, while DNSSEC is the better lasting solution.

DNSSEC is a debacle of epic proportions. It has taken over 13 years for that one standards effort to solidify to the point where it is today, which is a "secure DNS" protocol where there is still no real agreement on how to prevent arbitrary people on the Internet from dumping the contents of your zone files.

I predict, without any real evidence to back me up, that DNSSEC is DOA for a simple reason: the total Internetwide deployment of resolver libraries with a "gethostbyname()" interface; none of these libraries can handle transient or "soft" DNS security failures. SSL, a protocol that is far, far easier to deploy and manage than DNSSEC, sees transient errors so often that users are rebelling against the size of the error messages Firefox generates for them. DNSSEC transient failures kill your lookup.

I can give lots of other reasons why DNSSEC isn't going to work, but that's one you might not have thought of.

Does anyone have a link detailing the exploit? I'm not a DNS expert, so something easily consumable would be great.

As a fellow DNS non-expert, I found http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.htm... to be pretty clear.

Wow, I learned so much from that article. Thanks for linking it.

Just ask tptacek, I hear he likes to talk about it ;)

(Thomas Ptacek in the article == tptacek on Hacker News)

You just made my list, tlrobinson. One name. tlrobinson.

http://news.ycombinator.com/user?id=davidu is here too, although not as active as tptacek.

The author would probably make a pretty good screenwriter for Sneakers2. I guess the dictionary word of the day is bombastic...

Technical summary, please?

There's not much technical in this article, just an overly dramatized account of the history of this vulnerability.

Not exactly a "summary", but... http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.htm...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact