Security Update 2009-004 DNS Patch Applies to Few Systems
Security Update 2009-004, Apple’s latest update to the domain name service (DNS) software found in client and server versions of Mac OS X 10.4 and 10.5, is critical – but affects only those people who have manually enabled Mac OS X’s DNS server.
This includes system administrators using the DNS server in Tiger Server or Leopard Server for name resolution where the DNS servers can be reached in any fashion from outside a local network. It also includes a very small number of people who like to monkey at the command line and happened to enable DNS on regular Tiger or Leopard systems.
The flaw that the update fixes could disrupt a network by allowing a remote attacker with no other access to a company’s network to kill a DNS server. It’s likely that Apple servers represent a nearly invisible fraction of all public-facing DNS servers worldwide, and thus few attackers would try to exploit this now-patched problem.
Security Update 2009-004 for Mac OS X and Mac OS X Server 10.4.11 and 10.5.8 has nothing to do with fundamental DNS flaws that Rich Mogull and I wrote about in “Apple Fails to Patch Critical Exploited DNS Flaw” (2008-07-24) and Adam Engst and I updated with “Apple Finally Fixes DNS Flaw and ARDAgent Vulnerability” (2008-08-01).
DNS still suffers from a fundamental design flaw that last year’s patches ignored – the problem is enormously harder to exploit but wasn’t eliminated. DNS’s security infrastructure has to evolve to embed cryptography in such a way that a request to turn a human-readable domain name into something else can’t be spoofed by an attacker.
It is nice to see Apple release this BIND patch relatively timeously. As to DNSSEC, it won't be ubiquitous for at least two more decades--one decade has barely made a start.
You're probably right on DNSSEC, even though I'd like to be optimistic that a massive, well-known flaw lights some fire.
Hey, we might even have IPv6 widely deployed in the next decade!
There is just so much to change to get DNSSEC widely used.
IPv6 will likely happen faster, since barring yet another invention we really are running out of IPv4 space this time. There were two prior reprieves--web virtual domain by name rather than by IP, and widespread NAT.
There are more bits and pieces--more things can be NATted, and, for example, I really don't think Apple can justify the entire 22.214.171.124/8 which they "own". (Plus at least one /16 I ran into in Hong Cong.) Stanford among others gave up their /8; but Apple clings. The fact that Apple got a Class A (which 17 was in those days) shows how early they noticed the Internet.
DNSSEC will become widely deployed when DNS gets widely hacked. That'll happen when SPF, DKIM and DKIM ADSP become widely published, and widely respected, and spammers have to use DNS hacks to spoof sender addresses.
DKIM ADSP became an Internet standard yesterday, and will allow us to track DKIM uptake (without ADSP, the absence of DKIM signatures is meaningless). SPF adoption is proceeding rapidly, with 90% of US banks using it, for example.