[dns-operations] Agile countermeasures

Mark Andrews Mark_Andrews at isc.org
Mon Aug 25 15:07:57 UTC 2008

> Mark Andrews wrote:
> > 	I can create delegations that REQUIRE glue from "DE" for
> > 	zones under "COM" and glue in "COM" for zones under "DE"
> > 	for the delegations to work.
> > 
> > 	e.g.
> > 		example.de	NS ns1.example.com
> > 		example.com	NS ns1.example.de
> > 
> > 	Back about BIND 4.9.[23] I configured named to stop accepting
> > 	glue that wasn't under the parent zone.  I did this so I
> > 	could chase down bad glue.  If there was bad glue I knew
> > 	it had to come for a parent, grandparent etc.  I also knew
> > 	that it would break delegations like the one I'm describing
> > 	above but I also knew they were rare.
> And your false assertions have resulted in BIND vulnerabilities
> against Kaminsky's variation of ID guessing attacks.

	The above was never intended to do more than allow stale
	(bad) glue to be located.  It wasn't attempting to stop
	forged responses.  It was attempting to make the stale glue
	problem manageable.  BTW is does what was intended.

	It turned a unmanagable problem into a managable problem.

	We now look for stale glue in the parents of the nameserver.

	I can remember when we had to look in every server for every
	zone served by the server as well as all parent zone back
	to the root.  The problem quickly became very large.

	Add to that servers that merged RRsets and servers that
	"corrected" glue it became a almost impossible task to to
	get bad glue removed.

> Isn't it enough that both "bailiwick" and "PKI" are not secure,
> not even theoretically.
> 						Masataka Ohta

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list