mailing list archives
Re: how to protect name servers against cache corruption
From: tqbf () smtp enteract com
Date: 30 Jul 1997 00:02:07 -0000
In article <199707222024.NAA14009 () wisdom rc vix com>, you wrote:
a BIND 4.9.6 or 8.1.1 server is immune. so, you could upgrade. to so do,
see http://www.isc.org/isc/ which will lead you to ftp://ftp.isc.org/isc/.
(the root name servers are all running modern software at this point.)
Immune to which attack? The poisoned resource-record attack? The ID
guessing attack? How have you confirmed that 8.1.1 is not vulnerable to
Since, as you say, this has an "operations" context (the integrity of the
Internet domain service in realistic danger), it might be appropriate and
appreciated for you to detail the steps you and the ISC have taken to
resolve these problems in BIND 8.1.1. Does 8.1.1 validate resource
records? Does it use random query IDs?
My understanding of Kashpureff's attack was that it was of minimal
complexity (specifically, that he ripped off some kid's cname-bouncing
script). I am therefore concerned at what appears to be the use of his
apparently unsophisticated attack as a metric for the security of BIND
Thanks for reading this, and for your time!
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com]
exit(main(kfp->kargc, argv, environ));