[dns-operations] Description of the "Kashpureff-style DNS cache corruption attack"
Florian Weimer
fw at deneb.enyo.de
Sun Nov 26 16:30:37 UTC 2006
There's this curious note on the ISC web page:
| BIND4/BIND8 Unsuitable for Forwarder Use
|
| If any nameserver, whether BIND or not is configured to use
| forwarders, then none of those target forwarders should be running
| BIND4 or BIND8. Upgrade all nameservers used as forwarders to
| BIND9. There is a current, wide scale Kashpureff-style DNS cache
| corruption attack which depends on BIND4 and BIND8 as forwarders
| targets.
It seems that other sources are somewhat reluctant to name a software
bug after a convicted felon, so it's kind of hard to find the
technical details. CERT/CC advisory CA-1997-22 seems to deal with this
bug, but is a bit short on the technical side as well.
I'm interested in this issue because I wand to deploy BIND 9 in
forward-only mode, and I don't know what kind of software the
forwarders are running. I can't imagine how this bug can be triggered
in forward-only mode, but I want to make sure that I'm not missing
anything.
More information about the dns-operations
mailing list