Multiple DNS implementations vulnerable to cache poisoning

Steven M. Bellovin smb at
Wed Jul 9 17:55:07 UTC 2008

On Wed, 9 Jul 2008 13:06:53 -0400
"Christopher Morrow" <morrowc.lists at> wrote:

> On Wed, Jul 9, 2008 at 12:11 PM, Steven M. Bellovin
> <smb at> wrote:
> > On Wed, 9 Jul 2008 12:05:38 -0400
> > "Christopher Morrow" <morrowc.lists at> wrote:
> >> Pressure your local ICANN officers?
> >>
> > How many ISPs run DNS servers for customers?  Start by signing those
> This is likely going to mean some mean OSS changes and perhaps
> re-adjustment of where customer zones live to deal with extra load on
> auth servers... Also, the customer(s) likely have to ask for that sort
> of thing to happen, and include in their OSS re-signing/verifying/blah
> when they make changes to their zone(s).

Precisely my point.  (In a related vein, how many folks started
updating their OSSs a few years ago to handle IPv6 addresses?)
> > zones -- that has to be done in any event.  Set up caching
> > resolvers to verify signatures.  "It is not your part to finish the
> > task, yet you
> yup, more server load considerations, for services not being paid for
> directly by customers... also, this is but a small minority of the
> affected devices here. Not that it's not important, but there are
> other parts of the dns pie. Someone mentioned CPE devices doing
> cache-resolving as well, if their upstream is an affectd device they
> are vulnerable, if they are vulnerable they could be subverted :(
> My point was really, how do we get dns-sec rolling? From the top-down
> that's 'bug icann' right? and from the bottom-up that's:
> 0) update applications to meaningfully use dnssec data
> 1) educate users/domain-owners
> 2) roll infrastructure to the ISP/Enterprise
> 3) make sure the CPE/end-systems are prepared for dnssec
> 4) update OSS bits down the dns-tree
> 5) deploy
> 6) rejoice?
> Just saying "DNSSEC is the answer" is cool, but we've
> (network/security community) been saying that for 10 years. How does
> this move forward?
Maybe this attack will help...

More seriously -- unlike v6, the pieces here can be updated
independently; they'll then DTRT when the proper bits start showing up
on the wire.  Enterprises can sign their own zones, and give (with help
from Microsoft, of course) their employees resolvers and configurations
that know to expect signatures for that zone.  Enterprises and
consumer-facing ISPs can start deploying caching resolvers that use the
AD bit and TSIG when talking to clients.

The pressure on ICANN and down from there can happen at the same time.
Some day, they'll meet in the middle...

		--Steve Bellovin,

More information about the NANOG mailing list