On Feb 8 2012, Kazunori Fujiwara wrote:
Searching the title of the vulnerability with google results one PDF document.
http://www.google.co.jp/#q=Ghost+Domain+Names:+Revoked+Yet+Still+Resolvable+PDF
It shows details.
More directly, http://www.cs.indiana.edu/classes/b649-gupt/kangLiNDSS12.pdf
This is definitely worth reading, being an interesting new twist on a
fairly old theme.
I have some concerns about what the authors seem to favour as a defense
(section 5.1, page 9):
"1. Strengthening the bailiwick rule - DNS resolver implementations
should tighten the bailiwick rule so that a recursive resolver
only accepts a zone's delegation data from [an] authoritative
server of a its parent zone."
They admit this would create a problem with "authority mismatches", i.e.
differences between the delegation NS RRset and the in-zone one, and that
these are "common in practice". Well yes, in spades! It would also be
quite inconsistent with the existing credibility rules, and with the
fact that in signed zones the delegation NS RRset is unsigned, on the
basis that it is a hint, not authoritative.
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
