Re: how to protect name servers against cache corruption

[Paul A Vixie <vixie () vix com>]

someone asked me a question in private e-mail that deserves a public answer.

> 1) How exactly did Eugene Kashperuff propogate this "RR poisoning" across
> the Internet? From NANOG's previous mailings I can deduce that it was along
> the lines of dig @victim -t ns www.alternic.net. Where www.alternic.net had
> duff A records.

yes.

> 2) What were/are the symptoms of this attack? www.internic.net resolving to
> www.alternic.net? 

yes.

> 3) If it was that easy to do, why hasn't it happened again?

because that particular attack only works if you are willing to get caught.
since eugene did this as a publicity stunt (which, i understand, has now
begun to backfire on him since his victims didn't interpret it that way),
he _needed_ to be caught.

> 3a) What measures were taken (other than discussion of DNSSEC, or lack of
> it) to 'cure' affected servers?

upgrade to bind-4.9.6 or bind-8.1.1.

> 4) How can I check for cache corruption?

"dig @0 www.netsol.com a" and "dig @cache00.ns.uu.net www.netsol.com a" and
check for differences.

> Apologies if any of the above sound moronic or ill-informed; extracting
> facts from reams of "what is a backhoe" mail list is a painfully slow task.
> Time for some filters I think...

no apologia needed.  public explainations of this attack have been poor, even
and especially by me.  i'm grateful for the opportunity to improve on that.