Re: [dnsext] Re: Protecting caches?
Dean Anderson
On Thu, 9 Oct 2008, Nicholas Weaver wrote:
> I don't believe NXDOMAIN behavior has anything to do with this. It is
> caching the ADDITIONAL records (usually the authoritative nameserver
> records) on what appears to be a VALID (albeit spoofed) reply.
No, you're not following the attack. Additional NS records are spoofed,
resulting in all further queries going to another Nameserver. (Before
balliwick, this used to be very common; balliwick was invented to make
that harder. But as was pointed out back then, still not impossible.
NXDOMAIN has historical relevance to the 'TTL race-to-win' argument. The
race-to-win argument in proper historical context, is complete BS. You
need to re-read my message.
> Race-until-win is a significant attack innovation. And I have yet to
> see anything that suggests that race-until-win attacks were known
> prior to Kaminski's work.
There is nothing novel in the race-to-win argument. Every spoofing
attack was always assumed to take place before the correct response
arrived, and before NXDOMAIN, there was no correct response. Even the
NXDOMAIN draft discusses NXDOMAIN being spoofed.
If one looks at the spoofing descriptions, you see brute force described
as "One only needs to send 65k packets before the correct packet
arrives". TTL has nothing to do with anything related to spoofing.
Kaminsky's only 'invention' was the notion that somehow, before
Kaminsky, people thought that TTL was a defense against spoofing. But
that notion was BS to begin with; no one ever thought that.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
--
to unsubscribe send a message to namedroppe...@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>