[dns-operations] the mathematics of kaminsky spoofing probability

sthaug at nethelp.no sthaug at nethelp.no
Mon Aug 4 13:36:46 UTC 2008

> Whenever we get a forged answer (qID, port, ...) we process the packet
> as usual, but instead of sending the reply and changing the cache,
> we just put a flag on all cached entries which would have been changed
> by this reply. 
> Whenever a matching answer is received, it cannot change any cache
> entries where this flat is set.

Sounds reasonable. However, such a flag would need some kind of timeout
or aging mechanism so the flag doesn't stick forever. Possibly normal
TTL processing would be sufficient.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

More information about the dns-operations mailing list