how to protect name servers against cache corruption

• Previous message (by thread): how to protect name servers against cache corruption
• Next message (by thread): how to protect name servers against cache corruption
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In article <199707222024.NAA14009 at wisdom.rc.vix.com>, you wrote:
>a BIND 4.9.6 or 8.1.1 server is immune.  so, you could upgrade.  to so do,
>see http://www.isc.org/isc/ which will lead you to ftp://ftp.isc.org/isc/.
>(the root name servers are all running modern software at this point.)

Immune to which attack? The poisoned resource-record attack? The ID
guessing attack? How have you confirmed that 8.1.1 is not vulnerable to
related attacks?

Since, as you say, this has an "operations" context (the integrity of the
Internet domain service in realistic danger), it might be appropriate and
appreciated for you to detail the steps you and the ISC have taken to
resolve these problems in BIND 8.1.1. Does 8.1.1 validate resource
records? Does it use random query IDs? 

My understanding of Kashpureff's attack was that it was of minimal
complexity (specifically, that he ripped off some kid's cname-bouncing
script). I am therefore concerned at what appears to be the use of his
apparently unsophisticated attack as a metric for the security of BIND
8.1.1.

Thanks for reading this, and for your time!

-- 
----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf at enteract.com]
----------------
exit(main(kfp->kargc, argv, environ));

• Previous message (by thread): how to protect name servers against cache corruption
• Next message (by thread): how to protect name servers against cache corruption
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]