Why *can* cached DNS replies be overwritten?

["Jay R. Ashworth" <jra () baylink com>]

On Mon, Aug 11, 2008 at 11:20:07AM -0400, Leo Bicknell wrote:
> If your vendor told you that you are not at risk they are wrong,
> and need to go re-read the Kaminski paper.  EVERYONE is vunerable,
> the only question is if the attack takes 1 second, 1 minute, 1 hour
> or 1 day.  While possibly interesting for short term problem
> management none of those are long term fixes.  I'm not sure your
> customers care when .COM is poisoned if it took the attacker 1
> second or 1 day.

Correct me if I'm wrong, Leo, but your assertion turns on the fact that
the server will accept an overwriting cache entry for something it
already has cacheed, does it not?

Do djb and Power in fact do that?

If they don't, the window of opportunity to poison something like .com
is limited to the period between when that entry expires from the local
server's cache and the next time it hears a reply -- which will be the
time after that expiry when someone next requests a .com name; IE
almost immediately, no?

Everyone seems to continue asking "why can poisoning overwrite already
cached answer" and no one seems to be answering, and, unless I'm a
moron (which is not impossible), that's the crux of this issue.

Cheers,
-- jra
-- 
Jay R. Ashworth                   Baylink                      jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com                     '87 e24
St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 1274

             Those who cast the vote decide nothing.
             Those who count the vote decide everything.
               -- (Josef Stalin)