On Tue, Sep 02, 2008 at 02:10:12PM -0700, =?BIG5?B?SklOTUVJIFRhdHV5YSAvIK+rqfq5Rqt2IDxKaW5tZWlfVGF0dXlhQGlzYy5vcmc+?= wrote: > > No, the presence of an A record simply means the attack is not > effective until the A record expires (the attack itself succeeds > anytime unless the server also caches www.cnn.com./NS, which is very > unlikely). When "it gets renewed again", the server is already > poisoned with the forged NS, and it will be poisoned with a forged A > record by the forged NS.
Just shooting from the hip here, but what if we made it a rule to never cache an NS record for longer than an existing, identically named A record ? Thanks, Gabriel
