PLEASE READ: An Important Security Announcement from ISC
Chris Thompson
cet1 at cam.ac.uk
Wed Feb 8 16:25:25 UTC 2012
On Feb 8 2012, Kazunori Fujiwara wrote:
>Searching the title of the vulnerability with google results one PDF document.
> http://www.google.co.jp/#q=Ghost+Domain+Names:+Revoked+Yet+Still+Resolvable+PDF
>
>It shows details.
More directly, http://www.cs.indiana.edu/classes/b649-gupt/kangLiNDSS12.pdf
This is definitely worth reading, being an interesting new twist on a
fairly old theme.
I have some concerns about what the authors seem to favour as a defense
(section 5.1, page 9):
"1. Strengthening the bailiwick rule - DNS resolver implementations
should tighten the bailiwick rule so that a recursive resolver
only accepts a zone's delegation data from [an] authoritative
server of a its parent zone."
They admit this would create a problem with "authority mismatches", i.e.
differences between the delegation NS RRset and the in-zone one, and that
these are "common in practice". Well yes, in spades! It would also be
quite inconsistent with the existing credibility rules, and with the
fact that in signed zones the delegation NS RRset is unsigned, on the
basis that it is a hint, not authoritative.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list