Home page logo

nanog logo nanog mailing list archives

Re: how to protect name servers against cache corruption
From: tqbf () smtp enteract com
Date: 30 Jul 1997 00:02:07 -0000

In article <199707222024.NAA14009 () wisdom rc vix com>, you wrote:
a BIND 4.9.6 or 8.1.1 server is immune.  so, you could upgrade.  to so do,
see http://www.isc.org/isc/ which will lead you to ftp://ftp.isc.org/isc/.
(the root name servers are all running modern software at this point.)

Immune to which attack? The poisoned resource-record attack? The ID
guessing attack? How have you confirmed that 8.1.1 is not vulnerable to
related attacks?

Since, as you say, this has an "operations" context (the integrity of the
Internet domain service in realistic danger), it might be appropriate and
appreciated for you to detail the steps you and the ISC have taken to
resolve these problems in BIND 8.1.1. Does 8.1.1 validate resource
records? Does it use random query IDs? 

My understanding of Kashpureff's attack was that it was of minimal
complexity (specifically, that he ripped off some kid's cname-bouncing
script). I am therefore concerned at what appears to be the use of his
apparently unsophisticated attack as a metric for the security of BIND

Thanks for reading this, and for your time!

Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com]
exit(main(kfp->kargc, argv, environ));

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]