Updated: The patch for critical Internet flaw may be flawed itself

A Russian researcher has reported there are holes in the patch for the DNS flaw that threatened the foundations of the Internet.

Just a month ago, Dan Kaminsky told the world that the Internet’s Domain Name Server system for routing Internet users to the proper addresses for web sites could be compromised. He had organized a months-long effort to create a patch to fix the problem. But not it appears the patch doesn’t do the job, according to a story in the New York Times. It confirms Kaminsky’s own warning that the patch was a stopgap measure and that there were worse things coming out.

Evgeniy Polyakov, a physicist, said that he figured out a flaw in the patch for DNS, which is like the Internet’s telephone book, in just ten hours of work. He posted the news on his blog. Kaminsky said at Black Hat this week that the threat of the flaw was wider than he announced on July 8. That’s because there are a series of common Internet functions — such as sending a new password to a user who has forgotten it — that depend on the accuracy of DNS addresses. (Our interview with Kaminsky).

Meanwhile, companies such as Secure64, which makes a secure operating system, are advocating a shift from DNS to a more secure form of the addressing system, dubbed DNSSEC. But it will likely take a long time for such an infrastructure shift to be implemented.

The patch is still better than no patch at all.

“The question is, if you are in a boat, which would you rather have – a gaping hole letting water flood in, or a pinhole?,” said Brian Dickson, a DNS expert, in an email. “Hint: With a pinhole leak, you have the option of bailing water out of your boat until help arrives… with a gaping hole, not so much.”

Update: Kaminsky said today that the hack on the patch isn’t particularly alarming and that he predicted it would be possible in his own talk. He noted that before the patch, it would take 32,000 packets and a very short amount of time to crack DNS addressing systems. The attack used by the Russian researcher took 10 hours with a high-speed link using billions of packets. That risk, Kaminsky said, was an acceptable one and it means that the community should now proceed with implementing a permanent fix.