[dns-operations] non-secure dynamic updates

Paul Vixie vixie at fsi.io
Wed Dec 14 09:11:41 UTC 2016

when we were working on RFC 2136 i had not yet got it through my head
that most operators would run with defaults, and many implementors would
provide bad defaults.

the paper referenced  below, published a couple of weeks back, tells an
unfortunate tale. and i've heard that notification and remediation is
going about as poorly as it usually does.


title: <<Zone Poisoning: The How and Where of Non-Secure DNS Dynamic

abstract: <<This paper illuminates the problem of non-secure DNS dynamic
updates, which allow a miscreant to manipulate DNS entries in the zone
files of authoritative name servers. We refer to this type of attack as
to zone poisoning. This paper presents the first measurement study of
the vulnerability. We analyze a random sample of 2.9 million domains and
the Alexa top 1 million domains and find that at least 1,877 (0.065%)
and 587 (0.062%) of domains are vulnerable, respectively. Among the
vulnerable domains are governments, health care providers and banks,
demonstrating that the threat impacts important services. Via this study
and subsequent notifications to affected parties, we aim to improve the
security of the DNS ecosystem.>>

it's worth a look.

P Vixie

More information about the dns-operations mailing list