[dns-operations] Description of the "Kashpureff-style DNS cache corruption attack"

Florian Weimer fw at deneb.enyo.de
Sun Nov 26 16:30:37 UTC 2006

There's this curious note on the ISC web page:

| BIND4/BIND8 Unsuitable for Forwarder Use 
| If any nameserver, whether BIND or not is configured to use
| forwarders, then none of those target forwarders should be running
| BIND4 or BIND8. Upgrade all nameservers used as forwarders to
| BIND9. There is a current, wide scale Kashpureff-style DNS cache
| corruption attack which depends on BIND4 and BIND8 as forwarders
| targets.

It seems that other sources are somewhat reluctant to name a software
bug after a convicted felon, so it's kind of hard to find the
technical details. CERT/CC advisory CA-1997-22 seems to deal with this
bug, but is a bit short on the technical side as well.

I'm interested in this issue because I wand to deploy BIND 9 in
forward-only mode, and I don't know what kind of software the
forwarders are running.  I can't imagine how this bug can be triggered
in forward-only mode, but I want to make sure that I'm not missing

More information about the dns-operations mailing list