[dns-operations] Agile countermeasures

Masataka Ohta mohta at necom830.hpcl.titech.ac.jp
Mon Aug 25 13:47:37 UTC 2008


Mark Andrews wrote:

> 	I can create delegations that REQUIRE glue from "DE" for
> 	zones under "COM" and glue in "COM" for zones under "DE"
> 	for the delegations to work.
> 
> 	e.g.
> 		example.de	NS ns1.example.com
> 		example.com	NS ns1.example.de
> 
> 	Back about BIND 4.9.[23] I configured named to stop accepting
> 	glue that wasn't under the parent zone.  I did this so I
> 	could chase down bad glue.  If there was bad glue I knew
> 	it had to come for a parent, grandparent etc.  I also knew
> 	that it would break delegations like the one I'm describing
> 	above but I also knew they were rare.

And your false assertions have resulted in BIND vulnerabilities
against Kaminsky's variation of ID guessing attacks.

Isn't it enough that both "bailiwick" and "PKI" are not secure,
not even theoretically.

						Masataka Ohta




More information about the dns-operations mailing list