On Mon, Aug 11, 2008 at 5:45 PM, JINMEI Tatuya / 神明達哉 <[EMAIL PROTECTED]> wrote: > Did you actually confirm this behavior? As far as I understand the > code (and I actually checked the behavior previously) BIND9 doesn't > replace an authoritative RRset with a glue. Or in other words, it > strictly follows the rule of RFC2181.
I was just trying to locate the code that's actually responsible for Dan Kaminsky's vulnerability. As described by him, upon successful poisoning, the attacker returns a message that says "don't know the IP for abc123.foo.com, but check with www.foo.com at 5.6.7.8". The exploit relies on the fact that BIND will overwrite its currently cached entry for www.foo.com (1.2.3.4) with this new information (5.6.7.8). I was trying to locate where in the code this happens, and also to understand why it *has* to happen that way (i.e., what would break if I simply ignored the new info and kept my current data in the cache)? > Codewise, what should be referred to is line 4944 (9.5.1b1) of > lib/dns/rbtdb.c rather than resolver.c: I was looking for where in the code my 1.2.3.4 will be overwritten with 5.6.7.8 in the above example... Thanks much ! --Gabriel
