On Tue, Sep 02, 2008 at 02:10:12PM -0700, [EMAIL PROTECTED] wrote: > > No, the presence of an A record simply means the attack is not > effective until the A record expires (the attack itself succeeds > anytime unless the server also caches www.cnn.com./NS, which is very > unlikely). When "it gets renewed again", the server is already > poisoned with the forged NS, and it will be poisoned with a forged A > record by the forged NS. OK, how about this new patch ? At the option of the resolver's admin, ns records of equal authority will not overwrite valid cached ones. Also, the TTL of an NS record being cached will be cut down to the value of an existing A record's TTL, to prevent the "5-point palm exploding-heart technique" you described above :)
I tried this, and it covers all the scenarios we discussed so far. I even made it an option in the named.conf file, off by default. Turning it on will, I believe, still leave the server in an RFC-compliant mode. Please let me know if there are any other attack variants we didn't cover yet, and otherwise what your thoughts are regarding this patch. Thanks, --Gabriel
