Evan Hunt wrote: >> In what way would it be unsafe to run a non-Kaminsky-patched >> *authoritative-only* nameserver? My understanding is that Kaminsky only >> applies to resolvers. >> > > Well, for one thing, upgrading to a patched server protects against the > "idiot successor" problem, where someone takes over your job someday > and naively reconfigures your server to be unsafe. ;) > > The theoretical, academic answer to your question is: a Kaminksy-style > attack is much less likely to succeed against an authoritative-only server > than against a resolver. I'm not prepared, though, to say it's impossible > (auth-only servers do send notifies and maintain a small cache). > NOTIFY is a non-issue in my opinion.
a) NOTIFY activity is driven by zone changes, the timing of which is usually unknowable by the attacker, thus making successful forgery significantly rarer than in the case of normal queries and responses, b) the most that the attacker could hope to accomplish is an indirect DoS on the primary master server, by causing all of its slaves to perform refreshes. But there is very little amplification here, compared to other forms of DNS DoS attacks, c) since masters and slaves already have a trust relationship, they can and should already be using TSIG to authenticate their transactions, which includes NOTIFY transactions. - Kevin
