<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<title>ICANN News Alert</title>
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:18.0pt;
font-family:"Times New Roman","serif";
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Cambria","serif";
color:#4F81BD;
font-weight:bold;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Courier New";
color:navy;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></b></p>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></b></p>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Courier New"'>Thought
this might be of interest to some. <o:p></o:p></span></b></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>Regards,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'>Baher<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:navy'><o:p> </o:p></span></p>
<div style='border:solid #CCCCCC 1.0pt;padding:8.0pt 8.0pt 8.0pt 8.0pt'>
<div>
<h2 style='margin-bottom:0in;margin-bottom:.0001pt'><span style='font-family:
"Arial","sans-serif"'>ICANN Highlights Domain Name System Vulnerability;
Releases Tools<o:p></o:p></span></h2>
<p style='margin:0in;margin-bottom:.0001pt'><span style='font-family:"Arial","sans-serif"'>ICANN
aims to raise awareness of critical Internet security issue<o:p></o:p></span></p>
<p style='mso-margin-top-alt:11.25pt;margin-right:0in;margin-bottom:0in;
margin-left:0in;margin-bottom:.0001pt'><span style='font-family:"Arial","sans-serif"'>6
August 2008<o:p></o:p></span></p>
<p><strong><span style='font-family:"Arial","sans-serif"'>MARINA DEL REY,
Calif.:</span></strong><span style='font-family:"Arial","sans-serif"'> The
Internet Corporation for Assigned Names and Numbers is raising awareness of a
recently discovered vulnerability in the domain name system (DNS). This
includes releasing an FAQ and an online tool for domain operators to test their
domains. <o:p></o:p></span></p>
<p><span style='font-family:"Arial","sans-serif"'>Due to the distributed nature
of the DNS, no one organization can implement a fix for this vulnerability. It
requires the cooperation of all name server operators and DNS software vendors.
However, ICANN sees an important goal in spreading awareness of the need to
update Internet infrastructure to cope with the threat. The organization has
been undertaking significant outreach efforts to top-level domain operators to
advise them on the issue. It has also prepared an FAQ and online domain testing
tool to raise awareness of the problem, and to encourage network operators to
rectify or update their servers. <o:p></o:p></span></p>
<p><strong><span style='font-family:"Arial","sans-serif"'>Summary of Cache
Poisoning Issue </span></strong><span style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p><span style='font-family:"Arial","sans-serif"'>Security researcher Dan
Kaminsky recently discovered a design flaw in the fundamental DNS protocol.
While it is not possible to fully fix this flaw, there are ways to improve
resistance to it. This involves system administrators patching or reconfiguring
their DNS servers. <o:p></o:p></span></p>
<p><span style='font-family:"Arial","sans-serif"'>The vulnerability affects
what are called "recursive" name servers, typically installed at ISPs
and corporate network gateways to assist DNS lookups and cache results for
faster lookups, rather than the type of name servers used by domain registries
which are "authoritative" name servers. <o:p></o:p></span></p>
<p><span style='font-family:"Arial","sans-serif"'>However, name servers can be
configured to perform both "recursive" and "authoritative"
functions from the same machine, and by doing so the susceptible recursive
function can cause security risks for the authoritative function. <o:p></o:p></span></p>
<p><strong><span style='font-family:"Arial","sans-serif"'>For domain operators </span></strong><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p><span style='font-family:"Arial","sans-serif"'>For operators of domain
names, this vulnerability can be used to affect the contents of their zone if
their authorities also provide recursive name service. To detect whether a
particular zone is vulnerable, ICANN has produced a tool that can check a
particular domain: <o:p></o:p></span></p>
<p><span style='font-family:"Arial","sans-serif"'><a
href="http://click.icptrack.com/icp/relay.php?r=9826224&msgid=166598&act=52JX&c=165637&admin=0&destination=http%3A%2F%2Frecursive.iana.org">http://recursive.iana.org/
</a><o:p></o:p></span></p>
<p><span style='font-family:"Arial","sans-serif"'>Domain operators should look
to ensuring that all of the authoritative name servers for their domain are
separated from any recursive name servers to avoid being impacted by cache
poisoning attacks. <o:p></o:p></span></p>
<p><span style='font-family:"Arial","sans-serif"'>ICANN has also produced a set
of question and answers on this topic for domain operators, which is available
at: <o:p></o:p></span></p>
<p><span style='font-family:"Arial","sans-serif"'><a
href="http://click.icptrack.com/icp/relay.php?r=9826224&msgid=166598&act=52JX&c=165637&admin=0&destination=http%3A%2F%2Fwww.iana.org%2Freports%2F2008%2Fcross-pollination-faq.html">http://www.iana.org/reports/2008/cross-pollination-faq.html
</a><o:p></o:p></span></p>
<p><strong><span style='font-family:"Arial","sans-serif"'>For Internet users </span></strong><span
style='font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p><span style='font-family:"Arial","sans-serif"'>For most users it is
important to ensure the DNS servers their computer uses to look up domains has
been patched to enable "source port randomization". To check if this
change has been made by your Internet provider one can go to an online testing
tool provided by the DNS Operations, Analysis and Research Center at: <o:p></o:p></span></p>
<p><span style='font-family:"Arial","sans-serif"'><a
href="http://click.icptrack.com/icp/relay.php?r=9826224&msgid=166598&act=52JX&c=165637&admin=0&destination=https%3A%2F%2Fwww.dns-oarc.net%2Foarc%2Fservices%2Fdnsentropy">https://www.dns-oarc.net/oarc/services/dnsentropy</a>
<o:p></o:p></span></p>
<p><span style='font-family:"Arial","sans-serif"'>To be guarded against the
vulnerability, the test result should return as "Great". If you do
not get such a result your should talk to your network administrator (typically
your ISP, or your company’s IT department) and advise them to update their
recursive name servers. <o:p></o:p></span></p>
</div>
</div>
</div>
</body>
</html>