DNSSEC and CVE-2012-1033 (Ghost domain names)

Stephane Bortzmeyer bortzmeyer at nic.fr
Thu Feb 9 09:26:15 UTC 2012

In <https://www.isc.org/software/bind/advisories/cve-2012-1033>, ISC 

> ISC continues to recommend that organizations with security needs
> who are reliant on the Domain Name System proceed with adoption of
> DNSSEC; DNSSEC is the best known method of mitigating this issue.

But ISC provides no details about *how* exactly DNSSEC will solve the
problem. I'm puzzled. In the ghost domain names attack, the child zone
is controlled by the bad guy, who wants the domain to stick. So, he
will certainly not sign it. Unless you make DNSSEC mandatory, how will
you solve the ghost domain problem with DNSSEC? If the resolver is
sticky (will not go to the parent to ask the NS RRset), it won't check
the NSEC at the parent either...

Is it because the resolver, even if sticky, re-queries the parent when
the negative TTL of the (missing) DS records ends? And chokes when it
receives back a NXDOMAIN?

More information about the bind-users mailing list