nanog mailing list archives
Re: how to protect name servers against cache corruption
From: tqbf () smtp enteract com
Date: 30 Jul 1997 23:52:18 -0000
In article <199707301403.KAA08865 () jekyll piermont com>, you wrote:
Oh, beautiful. I'd love a tool like that -- it would give me a way of forcing copies of BIND that had been rigged not to accept arbitrary
I'm sorry I'm not being more clear about this, but I figured the word "re-issued" would convey the point. I will reiterate clearly: BIND, upon detecting forged responses to an OPEN QUERY, INVALIDATES the old query (which currently means taking the query's ID off the list of in-use query IDs) and initiates a NEW query. BIND, upon receiving a response to a query that isn't even open, logs and ignores the packet.
outside queries to make queries of my choice. Were I a systems cracker, I would love such a tool. I can think of some other mean hacks I could do with that facility, too.
Well, it's a good thing nobody has proposed that "tool".
The problem is not a lack of "clever hacks". The problem is a lack of security in the DNS protocols without DNSSEC.
The problem is that DNSSEC is not going to happen within the next 3 months; what are people running production networks using the old protocols going to do until it IS completely available? Put more directly: if I publish an exploit for a problem in the DNS protocol that cannot be fixed completely without DNSSEC, /What do you do/? You operate a highly available network used by thousands of customers daily, all of whom are angrily calling and asking why they're seeing PORN when they fire up their copy of Netscape, which happily resolves HOME.NETSCAPE.COM to WWW.PORNSHOP.COM. Remember, this is a problem that can't be fixed without a globally-deployed protocol re-vamp. What do you do? -- ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com] ---------------- exit(main(kfp->kargc, argv, environ));
Current thread:
- Re: how to protect name servers against cache corruption, (continued)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Christopher Masto (Jul 29)
- Re: how to protect name servers against cache corruption tqbf (Jul 29)
- Re: how to protect name servers against cache corruption Jay R. Ashworth (Jul 30)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 30)
- Re: how to protect name servers against cache corruption tqbf (Jul 30)
- Re: how to protect name servers against cache corruption Deepak Jain (Jul 30)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 30)
- Message not available
- Re: how to protect name servers against cache corruption Jay R. Ashworth (Jul 30)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)
- off-topic (Re: how to protect name servers against cache corruption ) Paul A Vixie (Jul 29)
- Re: off-topic (Re: how to protect name servers against cache corruption ) Larry Vaden (Jul 29)
- Re: off-topic (Re: how to protect name servers against cache corruption ) Ben Black (Jul 30)
- Re: how to protect name servers against cache corruption Lon R. Stockton, Jr. (Jul 29)