mailing list archives
Re: how to protect name servers against cache corruption
From: tqbf () smtp enteract com
Date: 30 Jul 1997 23:52:18 -0000
In article <199707301403.KAA08865 () jekyll piermont com>, you wrote:
Oh, beautiful. I'd love a tool like that -- it would give me a way of
forcing copies of BIND that had been rigged not to accept arbitrary
I'm sorry I'm not being more clear about this, but I figured the word
"re-issued" would convey the point. I will reiterate clearly:
BIND, upon detecting forged responses to an OPEN QUERY, INVALIDATES the
old query (which currently means taking the query's ID off the list of
in-use query IDs) and initiates a NEW query.
BIND, upon receiving a response to a query that isn't even open, logs and
ignores the packet.
outside queries to make queries of my choice. Were I a systems
cracker, I would love such a tool.
I can think of some other mean hacks I could do with that facility, too.
Well, it's a good thing nobody has proposed that "tool".
The problem is not a lack of "clever hacks". The problem is a lack of
security in the DNS protocols without DNSSEC.
The problem is that DNSSEC is not going to happen within the next 3
months; what are people running production networks using the old
protocols going to do until it IS completely available?
Put more directly: if I publish an exploit for a problem in the DNS
protocol that cannot be fixed completely without DNSSEC, /What do you do/?
You operate a highly available network used by thousands of customers
daily, all of whom are angrily calling and asking why they're seeing PORN
when they fire up their copy of Netscape, which happily resolves
HOME.NETSCAPE.COM to WWW.PORNSHOP.COM.
Remember, this is a problem that can't be fixed without a
globally-deployed protocol re-vamp. What do you do?
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com]
exit(main(kfp->kargc, argv, environ));