Possible fix for Kaminsky's bug
L. Gabriel Somlo
gsomlo at gmail.com
Thu Sep 4 16:31:46 UTC 2008
> I also tried that successfully. What exactly did you try, and how
> didn't it work?
I figured it out, and you're right, it does work. I had the wrong fake
nameservers which explains my original results :)
> No, the presence of an A record simply means the attack is not
> effective until the A record expires (the attack itself succeeds
> anytime unless the server also caches www.cnn.com./NS, which is very
> unlikely). When "it gets renewed again", the server is already
> poisoned with the forged NS, and it will be poisoned with a forged A
> record by the forged NS.
Now if only there were a way not to cache answers to questions we
never asked...
Thanks,
Gabriel
More information about the bind-users
mailing list