[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning
Paul Vixie
vixie at isc.org
Fri Jul 11 14:23:26 UTC 2008
> So adding 32 bits or even 48 bits of additional random would be best.
this is true of any wide area UDP protocol where the results are reused.
> The algorithm might in fact be quite simple:
> 1) See if a remote nameserver talks extended query id.
> 2) If it doesn't fall back to TCP and get the bits from there.
> 3) If that doesn't work, wait for people to fix their firewalls.
>
> What do you think? Move to DNSEXT? There has already been extended query
> id discussion there.
any form of always-use-tcp is undeployable for reasons of both scale and
reach. there would be too much state and through-delay in such a system,
and, there are too many unreachable name servers seen by tcp/53.
some reasonable people considered this problem starting 15 years ago and
came up with Secure DNS, which has had to be re-done 4 times, but it's
still the right solution to the general class of problem being noted here.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the dns-operations
mailing list