On Mon, 4 Aug 2008 12:30:47 EDT, Ed Finnell <[EMAIL PROTECTED]>
wrote:
>...
>>[EMAIL PROTECTED] writes:
>>
>>Recursion is the norm for DNS. I've never seen a DNS set up any
>>other way.
>...
>But isn't that out of ignorance or pre-exploitation? ...
I don't think it's "out of ignorance" at all. As I understand it, the
whole concept of DNS lookups is built around recursion - "I don't
know, but know does". The only 2 real choices are "I'll go ask
him" or "You go ask him". (Maybe only the first is considered
recursive. I don't know DNS processing that well. I'm not even
sure the 2nd option is part of standard DNS processing.)
I thought this newly surfaced vulnerability was based on "I don't
know, but he knows something that's close" processing - something
I'd never heard of before this past weekend.
In any case it sounds like the vulnerability is not due to a bug
but due to the DNS architecture. I can't imagine what the "fix"
is unless it is disabling the "in-bailiwick" processing.
BTW, a forwarding/caching name server on MVS is not directly
vulnerable, but will, of course, cache the bad address resolved
by a name server that has been corrupted. And then it's cache
is just as poisoned as a vulnerable server's. Clearing the cache
often lessens even that problem, but it sort of lessens the value
of a DNS cache, too.
Pat O'Keefe
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
