Possible fix for Kaminsky's bug
L. Gabriel Somlo
gsomlo at gmail.com
Wed Aug 27 04:13:03 UTC 2008
All,
I believe the attached patch fixes Dan Kaminsky's bug, and puts us
back to where an attacker would have to wait for the TTL to expire
before being able to poison the cache.
Anyone see any reason why we shouldn't do this ?
Thanks,
Gabriel
diff -NarU5 bind-9.5.0-P1.orig/lib/dns/rbtdb.c bind-9.5.0-P1/lib/dns/rbtdb.c
--- bind-9.5.0-P1.orig/lib/dns/rbtdb.c 2008-05-01 14:32:31.000000000 -0400
+++ bind-9.5.0-P1/lib/dns/rbtdb.c 2008-08-26 23:25:45.000000000 -0400
@@ -4939,11 +4939,11 @@
/*
* Trying to add an rdataset with lower trust to a cache DB
* has no effect, provided that the cache data isn't stale.
*/
- if (rbtversion == NULL && trust < header->trust &&
+ if (rbtversion == NULL && trust <= header->trust &&
(header->rdh_ttl > now || header_nx)) {
free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
if (addedrdataset != NULL)
bind_rdataset(rbtdb, rbtnode, header, now,
addedrdataset);
More information about the bind-users
mailing list