CVE-2012-1033 (Ghost domain names) mitigation
Matus UHLAR - fantomas
uhlar at fantomas.sk
Mon Feb 13 10:17:09 UTC 2012
On 09.02.12 11:43, Lyle Giese wrote:
>This is just my opinion, but this is not a bug. It's the side effect
>of a desirable feature called caching.
It's a design flaw - you cache something forever, even if case you
should not do it. The cache time is given and we should not expand it,
for valid reasons.
>Yea, we can brainstorm how to mitigate the effect, but in order to
>mitigate a problem, we have to know that there is a problem(revoked
>or bad domain).
I think that the described draft seems to solve the problem.
http://tools.ietf.org/html/draft-vixie-dnsext-resimprove-00
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
More information about the bind-users
mailing list