[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

[Mark Andrews]

> For Bind and djbdns (tinydns/axfrdns) no change is needed. DNS over tcp is
> enabled by default, but the fools programming the firewall dont read
> the RFCs who say port 53 udp and tcp.

	Yes there are changes required.

	First you need to stop the servers making UDP request by
	default.

	Next will need to treat your nameserver like a http server
	that is answering 1000's of http requests per second.  The
	later is the expensive part as it may involve new hardware.
 
> I have seen when testing dnssec Findland first dropped their IPv6
> records because the packets got to big for udp and many clients
> switched to tcp because edns did not work for them. Next they dropped
> dnssec too.

	I've long ago stop worring about clients and EDNS.  Clients
	either fix their EDNS problems or they don't get answers
	from the root server.  The root servers have EDNS enabled
	and there are referrals that exceed 512 bytes today.

	The next big crunch comes with fragemented packets and there
	are enough large responses these days that anyone advertising
	a EDNS UDP size greater than a ethernet packet will be
	seeing the odd fragmented DNS/UDP response.  Signed answers
	aproach and, at times, cross this threshold.

	The solution to this is to fix the firewall that thinks it
	is sensible to drop fragmented packets.  The work around
	is to advertise a appropriate ENDS UDP size so that truncation
	does not occur.

	e.g.
		edns-udp-size 1460;
 
	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org