[dns-operations] Description of the "Kashpureff-style DNS cache corruption attack"

[Florian Weimer]

* Paul Vixie:

> if you forward through a server that doesn't do any cache-pollution prevention
> then you will not have any way to apply rules such as "don't cache/reuse this
> additional data since it's not being supplied by a server who i think of as
> authoritative for the zone of the owner-name".  all you can do is hope that
> the server you're forwarding through has done that kind of work for you.

This shouldn't be a problem in a forward-only setting.  The resolver
serving the clients must not return RRs it has learnt from additional
sections (at least not when queried with the RD flag) because it
cannot know that the record set is complete.  To my knowledge, BIND 9
implements this correctly.  Such information should only be used for
locating authoritative servers (which is not necessary in a
foward-only environment).