[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Paul Vixie vixie at isc.org
Fri Jul 11 14:23:26 UTC 2008

> So adding 32 bits or even 48 bits of additional random would be best.

this is true of any wide area UDP protocol where the results are reused.

> The algorithm might in fact be quite simple: 
> 	1) See if a remote nameserver talks extended query id. 
> 	2) If it doesn't fall back to TCP and get the bits from there. 
> 	3) If that doesn't work, wait for people to fix their firewalls.
> What do you think? Move to DNSEXT? There has already been extended query
> id discussion there.

any form of always-use-tcp is undeployable for reasons of both scale and
reach.  there would be too much state and through-delay in such a system,
and, there are too many unreachable name servers seen by tcp/53.

some reasonable people considered this problem starting 15 years ago and
came up with Secure DNS, which has had to be re-done 4 times, but it's
still the right solution to the general class of problem being noted here.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the dns-operations mailing list