Why *can* cached DNS replies be overwritten?
"Jay R. Ashworth" <jra@baylink.com> Mon, 11 August 2008 19:12 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F3A533A6895; Mon, 11 Aug 2008 12:12:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.346
X-Spam-Level: ***
X-Spam-Status: No, score=3.346 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, SARE_LWSHORTT=1.24, WHOIS_NETSOLPR=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AQmiIt2emmmN; Mon, 11 Aug 2008 12:12:31 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 579B13A6822; Mon, 11 Aug 2008 12:12:30 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KScgy-000Lwf-Bv for namedroppers-data@psg.com; Mon, 11 Aug 2008 19:04:32 +0000
Received: from [216.85.69.3] (helo=cgi.jachomes.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <jra@cgi.jachomes.com>) id 1KScgu-000LwG-MT for namedroppers@psg.com; Mon, 11 Aug 2008 19:04:30 +0000
Received: by cgi.jachomes.com (Postfix, from userid 1002) id F33B2E00084; Mon, 11 Aug 2008 15:04:27 -0400 (EDT)
Date: Mon, 11 Aug 2008 15:04:27 -0400
From: "Jay R. Ashworth" <jra@baylink.com>
To: namedroppers@psg.com
Subject: Why *can* cached DNS replies be overwritten?
Message-ID: <20080811190427.GD9082@cgi.jachomes.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
[ cross-posted from NANOG, cause vix told me to :-) On Mon, Aug 11, 2008 at 11:20:07AM -0400, Leo Bicknell wrote: > If your vendor told you that you are not at risk they are wrong, > and need to go re-read the Kaminski paper. EVERYONE is vunerable, > the only question is if the attack takes 1 second, 1 minute, 1 hour > or 1 day. While possibly interesting for short term problem > management none of those are long term fixes. I'm not sure your > customers care when .COM is poisoned if it took the attacker 1 > second or 1 day. Correct me if I'm wrong, Leo, but your assertion turns on the fact that the server will accept an overwriting cache entry for something it already has cacheed, does it not? Do djb and Power in fact do that? If they don't, the window of opportunity to poison something like .com is limited to the period between when that entry expires from the local server's cache and the next time it hears a reply -- which will be the time after that expiry when someone next requests a .com name; IE almost immediately, no? Everyone seems to continue asking "why can poisoning overwrite already cached answer" and no one seems to be answering, and, unless I'm a moron (which is not impossible), that's the crux of this issue. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin) -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: Why *can* cached DNS replies be overwritten? Olafur Gudmundsson
- Why *can* cached DNS replies be overwritten? Jay R. Ashworth
- Re: Why *can* cached DNS replies be overwritten? bert hubert
- RE: Why *can* cached DNS replies be overwritten? Antoin Verschuren
- Dealing with the NS RRSet [Re: Why *can* cached D… Peter Koch
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Tony Finch
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Florian Weimer
- Re: Why *can* cached DNS replies be overwritten? Paul Vixie
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Peter Koch
- Re: Dealing with the NS RRSet [Re: Why *can* cach… Tony Finch