Re: DNS attacks evolve

* Jack Bates · * Mon Aug 11 10:42:02 2008

Joe Greco wrote:

6) Have someone explain to me the reasoning behind allowing the corruption

of in-cache data, even if the data would otherwise be in-baliwick. I'm
not sure I quite get why this has to be. It would seem to me to be safer

to discard the data. (Does not eliminate the problem, but would seem to

me to reduce it)
I had this question in my post weeks ago. No one bothered to reply. Older
poisoning is why the auth data must be within the same zone to be cached, but
apparently no one bothered to question the wisdom of altering existing cache data.
Wish they'd just fix the fault in the logic and move on. Talking til everyone is
blue in the face about protocol changes and encryption doesn't serve operations.
There are recursive resolvers that work just fine without the issues some
standard resolvers have. The protocol seems to work, some vendors just need to
change how they use it and tighten up on cache integrity.
7) Have someone explain to me the repeated claims I've seen that djbdns and
   Nominum's server are not vulnerable to this, and why that is.

PowerDNS has this to say about their non-vulnerability status:
http://mailman.powerdns.com/pipermail/pdns-users/2008-July/005536.html
I know some very happy providers that haven't had to patch. I hope to be one of
them on the next round.

Jack