Mukund Sivaraman <> wrote:
> There's an attempt to make it go one step further by refreshing whole
> zones in the cache:
> It needs another section to be completed before upload, possibly in time
> for IETF-97.

Oh dear, that is deeply problematic wrt DNSSEC.

It allows an attacker to suppress modifications to a zone (i.e. prevent a
cache from seeing changed records) by fiddling with the EDNS ZONE option
in responses to queries from the cache.

It's hard to fix this: even if you use the signed SOA RRset instead of the
unsigned ZONESERIAL and ZONENAME in the ZONE option, an attacker can still
replay old SOA records up to the signature expiry time, which frequently
weeks in the future. Now, to be fair, DNSSEC already allows this kind of
replay attack. But the ZONE option greatly magnifies the effect of a
successful attack.

f.anthony.n.finch  <>  -  I xn--zr8h punycode
Northwest Fitzroy, Sole: Southwesterly 5 or 6, veering westerly or
northwesterly 4 or 5 for a time. Moderate or rough. Rain or showers. Good,
occasionally moderate.
Please visit to unsubscribe 
from this list

bind-users mailing list

Reply via email to