[dns-operations] Agile countermeasures
Mark_Andrews at isc.org
Mon Aug 25 15:07:57 UTC 2008
> Mark Andrews wrote:
> > I can create delegations that REQUIRE glue from "DE" for
> > zones under "COM" and glue in "COM" for zones under "DE"
> > for the delegations to work.
> > e.g.
> > example.de NS ns1.example.com
> > example.com NS ns1.example.de
> > Back about BIND 4.9. I configured named to stop accepting
> > glue that wasn't under the parent zone. I did this so I
> > could chase down bad glue. If there was bad glue I knew
> > it had to come for a parent, grandparent etc. I also knew
> > that it would break delegations like the one I'm describing
> > above but I also knew they were rare.
> And your false assertions have resulted in BIND vulnerabilities
> against Kaminsky's variation of ID guessing attacks.
The above was never intended to do more than allow stale
(bad) glue to be located. It wasn't attempting to stop
forged responses. It was attempting to make the stale glue
problem manageable. BTW is does what was intended.
It turned a unmanagable problem into a managable problem.
We now look for stale glue in the parents of the nameserver.
I can remember when we had to look in every server for every
zone served by the server as well as all parent zone back
to the root. The problem quickly became very large.
Add to that servers that merged RRsets and servers that
"corrected" glue it became a almost impossible task to to
get bad glue removed.
> Isn't it enough that both "bailiwick" and "PKI" are not secure,
> not even theoretically.
> Masataka Ohta
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations