Remembering Dan Kaminsky

Dan Kaminsky passed away on April 25th, 2021. He was 42 years old. We offer our condolences to his family and friends, and join in sadness with the rest of the networking world (and particularly in the field of DNS) honoring his memory.

From cat pictures to entire economies

The Internet was never designed to be secure. The Internet was designed to move pictures of cats. (Dan Kaminsky)

The internet as we know it today is very much an accident. At its core is DNS, a network service invented in 1983 and whose basic operating principles haven’t changed since. But the world has.

What started as a university project became a mission-critical fabric of the modern world. As such, the security of DNS has also turned from “nice to have” to “protect at all costs” as we replaced sharing cat pictures with sharing information that can be measured in human lives.

The “Kaminsky attack”

Dan is remembered for a lot, including being kind, professional, and a positive force for change. And our industry will always remember how the world of DNS was rocked to its core by Dan Kaminsky in 2008 in ways that shocked some of its most prominent figures.

DNS cache poisoning wasn’t a new threat, but what Dan showed was that it was possible to victimize not only singular DNS records but entire domains through a fraudulent name server.

The threat of such a flaw was so significant that it triggered an emergency summit at Microsoft, and developers of DNS software released patches shortly after.

10 weeks > 10 hours > 10 seconds

As Dan pointed out, however, they didn’t “fix” DNS. They took a step to delay and complicate an otherwise quick and easy attack. It was a layer of security but not a magic bullet.

DNS previously relied on a 16-bit transaction identifier, which was made more complex by adding more entropy through another 16 bits of UDP source port randomization. 32 bits worth of entropy is better: the added complexity puts more pressure on the attacker, who’ll need to dedicate more resources. Attacks that took 10 seconds before to yield a hit can take 10 hours or 10 weeks now, eliminating (or seriously hindering) lower-tier threats.

Since then, there were additional suggestions, from creating more entropy (such as Bit 0x20) to DNSSEC validation. The problem (which illustrates well the gravity of Dan Kaminsky’s discovery in that it prompted not only a fast response but also universal adoption) is introducing these measures (and any and all possible bugs and issues they could bring) into existing, highly complex systems.

Rest in peace, Dan

DNS is one of the oldest of the network technologies, invented at a time when the mere idea of the internet of today was something out of a science-fiction novel by William Gibson or Arthur C. Clarke. By the time the realization had set in, it was too late; you can’t change the very engine of a car running down the road at maximum speed.

The only thing to do was, and remains, to stay vigilant and fix the problems as they arise. It is done by heroes whose names we rarely know, but, as is the nature of a hero, they do it not for fame but to keep the world running. And sometimes improve it, little by little.

Dan Kaminsky was, and remains, such an unsung hero of our connected world. Today, there is not one person going about their day and conducting their business over a network of one kind or another who doesn’t owe a silent nod on his passing.