Dean Anderson wrote:

>>A property of Kaminsky's attack that it is effective against a single
>>target is useful, here.

> I don't know if anyone noticed, but in fact, according to RFC4035 the
> delegation records and the glue records are not signed.

Really? (I am not interested in reading RFC4035 only to confirm DNSSEC
is broken beyond any attempt of repair)

Then, it should not have been a problem if correct authority model
of refferal was used, because cached glue records should have been
used only for the refferal of same <random> domain name appears again,
probability of which is negligible.

However, according to Paul, most implementations are broken, 
upgrading of which is as time consuming as upgrading implementations
to use modified protocol with, say, effectively 64 bit ID.

> A verifying
> DNSSEC cache can be poised with bad glue records using the poisoning
> attack, with only a slight change to the Kaminsky software.

Can you demonstrate it with existing implementations?

                                                        Masataka Ohta

PS

Birtyday attacks can, seemingly, be protected against if outstanding
query is invalidated (query fails) upon a reception of partially
matching (query and server address but not ID matches) answer.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to