[dns-operations] Opened Pandora's box of Cache Poisoning
Daisuke Kotani
daisuke at kotachi.com
Sat May 3 17:51:08 UTC 2014
> The "Pandora box" documents repeat quite often that it is a special
> case for poisoning but they don't explain why and they don't explain
> why it makes a specific vulnerability. So, I stay skeptical.
Their method is just an extension of Muller's method, and
I think their key finding is that they find effective targets for
poisoning (like TLDs).
> That's well known from the beginning of DNSSEC and I do not see what's
> the relationship with the issue of "domains which are not a zone"
> (like gouv.fr or ac.jp).
From the resolvers' view, "domains which are not a zone" seems to be
one of unsigned zones if its spoof NS RRs are injected.
(2014/05/04 1:48), Stephane Bortzmeyer wrote:
> On Sun, May 04, 2014 at 01:43:06AM +0900,
> Daisuke Kotani <daisuke at kotachi.com> wrote
> a message of 66 lines which said:
>
>> One thing that should be noted in the "Additional Page" is that the
>> jp. name servers directly delegate example.ac.jp to the
>> authoritative servers of it, and no RR of QNAME "ac.jp."
>
> Yes, it happens in many places, for instance for gouv.fr (try
> ssi.gouv.fr).
>
> The "Pandora box" documents repeat quite often that it is a special
> case for poisoning but they don't explain why and they don't explain
> why it makes a specific vulnerability. So, I stay skeptical.
>
>> DNSSEC does not sign NS RRs for delegation (See RFC4035 Sec.2.2),
>> therefore DNSSEC cannot verify the integrity of delegation.
>
> That's well known from the beginning of DNSSEC and I do not see what's
> the relationship with the issue of "domains which are not a zone"
> (like gouv.fr or ac.jp).
>
--
Daisuke Kotani <daisuke at kotachi.com>
More information about the dns-operations
mailing list