replicate a whole master
Tony Finch
dot at dotat.at
Wed Sep 21 12:26:20 UTC 2016
Mukund Sivaraman <muks at isc.org> wrote:
>
> There's an attempt to make it go one step further by refreshing whole
> zones in the cache:
>
> https://github.com/muks/dnsrefresh
>
> It needs another section to be completed before upload, possibly in time
> for IETF-97.
Oh dear, that is deeply problematic wrt DNSSEC.
It allows an attacker to suppress modifications to a zone (i.e. prevent a
cache from seeing changed records) by fiddling with the EDNS ZONE option
in responses to queries from the cache.
It's hard to fix this: even if you use the signed SOA RRset instead of the
unsigned ZONESERIAL and ZONENAME in the ZONE option, an attacker can still
replay old SOA records up to the signature expiry time, which frequently
weeks in the future. Now, to be fair, DNSSEC already allows this kind of
replay attack. But the ZONE option greatly magnifies the effect of a
successful attack.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Northwest Fitzroy, Sole: Southwesterly 5 or 6, veering westerly or
northwesterly 4 or 5 for a time. Moderate or rough. Rain or showers. Good,
occasionally moderate.
More information about the bind-users
mailing list