DNSSEC and CVE-2012-1033 (Ghost domain names)

Gilles Massen gilles.massen at restena.lu
Thu Feb 9 22:04:54 UTC 2012

On 9/2/12 21:38 , Casey Deccio wrote:
>     Is it because the resolver, even if sticky, re-queries the parent when
>     the negative TTL of the (missing) DS records ends? And chokes when it
>     receives back a NXDOMAIN?
> Actually, what I have observed in my limited testing is that the
> resolver re-queries the parent after the TTL of the NS RRset in the
> parent, not the negative TTL of the parent.  Upon receiving a NXDOMAIN
> response, it passes that along to the client.

This is what I saw as well, but if the NS rrset is queried explicitly
then the authoritative data from the child (with its TTL) overrides the
cache with the parent's TTL, just as described in the 'vulnerability'.
However, with dnssec-validation enabled, this happens only once - so if
that TTL expires the parent is asked again.

So the maximal exposure to a removed delegation with a validating bind
resolver would be TTL(NS)+TTL(RR), under very favorable conditions. This
could be a long time, but it's not forever.


More information about the bind-users mailing list