why do glue records *always* *have* to overwrite the cache ?

Gabriel Somlo gsomlo at gmail.com
Mon Aug 11 23:44:41 UTC 2008


On Mon, Aug 11, 2008 at 5:45 PM, JINMEI Tatuya / 神明達哉
<Jinmei_Tatuya at isc.org> wrote:
> Did you actually confirm this behavior?  As far as I understand the
> code (and I actually checked the behavior previously) BIND9 doesn't
> replace an authoritative RRset with a glue.  Or in other words, it
> strictly follows the rule of RFC2181.

I was just trying to locate the code that's actually responsible for
Dan Kaminsky's
vulnerability. As described by him, upon successful poisoning, the
attacker returns
a message that says "don't know the IP for abc123.foo.com, but check
with www.foo.com
at 5.6.7.8". The exploit relies on the fact that BIND will overwrite
its currently cached entry
for www.foo.com (1.2.3.4) with this new information (5.6.7.8). I was
trying to locate where
in the code this happens, and also to understand why it *has* to
happen that way (i.e., what
would break if I simply ignored the new info and kept my current data
in the cache)?

> Codewise, what should be referred to is line 4944 (9.5.1b1) of
> lib/dns/rbtdb.c rather than resolver.c:

I was looking for where in the code my 1.2.3.4 will be overwritten
with 5.6.7.8 in the above
example...

Thanks much !

--Gabriel


More information about the bind-users mailing list