how to protect name servers against cache corruption

Wed Jul 30 23:52:18 UTC 1997

In article <199707301403.KAA08865 at jekyll.piermont.com>, you wrote:
>Oh, beautiful. I'd love a tool like that -- it would give me a way of
>forcing copies of BIND that had been rigged not to accept arbitrary

I'm sorry I'm not being more clear about this, but I figured the word
"re-issued" would convey the point. I will reiterate clearly:

BIND, upon detecting forged responses to an OPEN QUERY, INVALIDATES the
old query (which currently means taking the query's ID off the list of
in-use query IDs) and initiates a NEW query.

BIND, upon receiving a response to a query that isn't even open, logs and
ignores the packet.

>outside queries to make queries of my choice. Were I a systems
>cracker, I would love such a tool.
>I can think of some other mean hacks I could do with that facility, too.

Well, it's a good thing nobody has proposed that "tool".

>The problem is not a lack of "clever hacks". The problem is a lack of
>security in the DNS protocols without DNSSEC.

The problem is that DNSSEC is not going to happen within the next 3
months; what are people running production networks using the old
protocols going to do until it IS completely available?

Put more directly: if I publish an exploit for a problem in the DNS
protocol that cannot be fixed completely without DNSSEC, /What do you do/?
You operate a highly available network used by thousands of customers
daily, all of whom are angrily calling and asking why they're seeing PORN
when they fire up their copy of Netscape, which happily resolves
HOME.NETSCAPE.COM to WWW.PORNSHOP.COM.

Remember, this is a problem that can't be fixed without a
globally-deployed protocol re-vamp. What do you do? 

-- 
----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf at enteract.com]
----------------
exit(main(kfp->kargc, argv, environ));