ISC BIND 9.4.2-P2-W1 is now available
Kevin Darcy
kcd at chrysler.com
Tue Sep 9 02:41:39 UTC 2008
Evan Hunt wrote:
>> In what way would it be unsafe to run a non-Kaminsky-patched
>> *authoritative-only* nameserver? My understanding is that Kaminsky only
>> applies to resolvers.
>>
>
> Well, for one thing, upgrading to a patched server protects against the
> "idiot successor" problem, where someone takes over your job someday
> and naively reconfigures your server to be unsafe. ;)
>
> The theoretical, academic answer to your question is: a Kaminksy-style
> attack is much less likely to succeed against an authoritative-only server
> than against a resolver. I'm not prepared, though, to say it's impossible
> (auth-only servers do send notifies and maintain a small cache).
>
NOTIFY is a non-issue in my opinion.
a) NOTIFY activity is driven by zone changes, the timing of which is
usually unknowable by the attacker, thus making successful forgery
significantly rarer than in the case of normal queries and responses,
b) the most that the attacker could hope to accomplish is an indirect
DoS on the primary master server, by causing all of its slaves to
perform refreshes. But there is very little amplification here, compared
to other forms of DNS DoS attacks,
c) since masters and slaves already have a trust relationship, they can
and should already be using TSIG to authenticate their transactions,
which includes NOTIFY transactions.
- Kevin
More information about the bind-users
mailing list