Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE Request New-djbdns: dnscache: potential cache poisoning
From: P J P <ppandit () redhat com>
Date: Tue, 11 Feb 2014 12:24:21 +0530 (IST)


+-- On Mon, 10 Feb 2014, P J P wrote --+
| I'll check with the upstream author for more clarification.

Upstream author's reply:

On Tuesday, 11 February 2014 4:28 AM, Frank Denis wrote:

The shorter the TTL of a record is, the easier a cache can be poisoned.
It is when a record is NOT cached that spoofed authoritative replies
can be sent and get a chance to reach the resolver before the
legitimate one.

As soon as a valid response is received, dnscache invalidates the state, 
discarding further responses, even if these are valid.

Hope it helps. Thank you.
Prasad J Pandit / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]