Possible fix for Kaminsky's bug
Mark Andrews
Mark_Andrews at isc.org
Wed Aug 27 04:40:45 UTC 2008
> All,
>
> I believe the attached patch fixes Dan Kaminsky's bug, and puts us
> back to where an attacker would have to wait for the TTL to expire
> before being able to poison the cache.
>
> Anyone see any reason why we shouldn't do this ?
>
> Thanks,
> Gabriel
This fails to account for DNSSEC verified changes.
> diff -NarU5 bind-9.5.0-P1.orig/lib/dns/rbtdb.c bind-9.5.0-P1/lib/dns/rbtdb.c
> --- bind-9.5.0-P1.orig/lib/dns/rbtdb.c 2008-05-01 14:32:31.000000000 -
> 0400
> +++ bind-9.5.0-P1/lib/dns/rbtdb.c 2008-08-26 23:25:45.000000000 -0400
> @@ -4939,11 +4939,11 @@
>
> /*
> * Trying to add an rdataset with lower trust to a cache DB
> * has no effect, provided that the cache data isn't stale.
> */
> - if (rbtversion == NULL && trust < header->trust &&
> + if (rbtversion == NULL && trust <= header->trust &&
> (header->rdh_ttl > now || header_nx)) {
> free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
> if (addedrdataset != NULL)
> bind_rdataset(rbtdb, rbtnode, header, now,
> addedrdataset);
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list