Possible fix for Kaminsky's bug
L. Gabriel Somlo
gsomlo at gmail.com
Thu Sep 4 17:07:30 UTC 2008
On Tue, Sep 02, 2008 at 02:10:12PM -0700, =?BIG5?B?SklOTUVJIFRhdHV5YSAvIK+rqfq5Rqt2IDxKaW5tZWlfVGF0dXlhQGlzYy5vcmc+?= wrote:
>
> No, the presence of an A record simply means the attack is not
> effective until the A record expires (the attack itself succeeds
> anytime unless the server also caches www.cnn.com./NS, which is very
> unlikely). When "it gets renewed again", the server is already
> poisoned with the forged NS, and it will be poisoned with a forged A
> record by the forged NS.
Just shooting from the hip here, but what if we made it a rule to
never cache an NS record for longer than an existing, identically
named A record ?
Thanks,
Gabriel
More information about the bind-users
mailing list