[dns-operations] Description of the "Kashpureff-style DNS cache corruption attack"

Paul Vixie paul at vix.com
Mon Nov 27 15:15:44 UTC 2006

> This shouldn't be a problem in a forward-only setting.  The resolver serving
> the clients must not return RRs it has learnt from additional sections (at
> least not when queried with the RD flag) because it cannot know that the
> record set is complete.

that's not how BIND4 or BIND8 implements the truncation rules.  even in the
additional data section, these nameservers will never add a partial RRset to
the message without setting TC, and will assume if TC is set that no RRset in
the last nonempty section can be cached.  and they will later return as
answers, records who were learnt in an additional data section.  BIND8 will
not cache the ones that aren't owned by the zone we were questioning within,
but that's as far as it goes.

> To my knowledge, BIND 9 implements this correctly.  Such information should
> only be used for locating authoritative servers (which is not necessary in a
> foward-only environment).

my local bind9 server has cached DENEB.ENYO.DE. MX and MX5.ENYO.DE. A with
the same TTL.  (the authority server for ENYO.DE. hands out TTL 172800.)  if
i query for MX5.ENYO.DE. A i get that same TTL, indicating that it cached the
result it heard in the additional data section of the original authoritative
response.  a little bit of work with "rndc flush" would resolve any worries,
but, to the best of my own knowledge, BIND9 will cache and reuse records from
the additional data section, following the same truncation logic i described
for BIND8 above.

More information about the dns-operations mailing list