BIND Patch hands Verisign another weapon
Jonathan de Boyne Pollard
J.deBoynePollard at Tesco.NET
Thu Sep 18 00:53:45 UTC 2003
JW> I hope this patch does not filter out glue records for
JW> nameserver hosts?!
PV> if you query for glue directly you should be
PV> receiving delegations, so, no.
If one queries for "glue" directly, Verisign's servers return complete
answers, not referrals.
[C:\]dnsqry /server:m.gtld-servers.net. a ns1.pingmagic.com. | tail /9
[192.55.83.30:0035] -> [0.0.0.0:0000] 126
Header: 0001 1+1+2+2, R, , query, no_error
Question: ns1.pingmagic.com. IN A
Answer: ns1.pingmagic.com. IN A 172800 202.140.169.216
Authority: pingmagic.com. IN NS 172800 ns1.pingmagic.com.
Authority: pingmagic.com. IN NS 172800 ns2.monitor724.com.
Additional: ns1.pingmagic.com. IN A 172800 202.140.169.216
Additional: ns2.monitor724.com. IN A 172800 143.89.51.48
[C:\]
The only reason that this happens to work with the new
"delegation-only" feature is the presence of the resource record
sets in the "authority" section, allowing the answer domain name
to be recognized as being under an actual registered subdomain
of "com.", thereby skipping the "delegation-only" processing.
But Verisign can simply turn off the addition of such resource
records, leaving just the bare answer resource record set. This,
according to the rules for "delegation-only", would force BIND to
turn the response into a "no such name" answer for
"ns1.pingmagic.com.". Without "delegation-only", in contrast, the
response would be used as it stood. Thus, by this patch, Verisign
is handed a weapon for causing explicit queries for "glue" to yield
wrong answers _only_ to those people employing "delegation-only", and
thereby for causing denials of service specifically for the people
who are trying to disregard its wildcards with this mechanism.
(Alas! Using "www.example.com." as the intermediate domain name for
an "example.com." content DNS server, and similar unwise practices,
are not entirely unheard of. So one cannot assert that if Verisign
chose to mount such an attack it would have little effect becase
explicit queries for the intermediate domain names would be
unlikely to be issued. There's also the common occurrence of lookups
for intermediate domain names such as "m.root-servers.net." to take
into account.)
All of the patches, for all of the DNS server softwares, published
thus far have handed Verisign a new weapon. This one is simply
subtler than most. If one is taking the view that Verisign has
gone rogue, handing it further powers to do more damage (as these
various mechanisms all do) is not the way to proceed.
More information about the bind-users
mailing list