[79036] in North American Network Operators' Group
Re: DNS cache poisoning attacks -- are they real?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Tue Mar 29 06:09:29 2005
From: Florian Weimer <fw@deneb.enyo.de>
To: Simon Waters <simonw@zynet.net>
Cc: John Payne <john@sackheads.org>, nanog@merit.edu,
Randy Bush <randy@psg.com>
Date: Tue, 29 Mar 2005 13:08:50 +0200
In-Reply-To: <1112092669.15380.TMDA@mercury.zynet.net> (Simon Waters's message
of "Tue, 29 Mar 2005 11:37:46 +0100")
Errors-To: owner-nanog@merit.edu
* Simon Waters:
>> This is _nothing_ to do with what you're running on the recursive
>> nameserver. It is doing _exactly_ what it is supposed to do. Get
>> answers, store in cache, respond to queries from cache if TTL isn't
>> expired.
>
> The answers from a recursive servers won't be marked authoritative (AA bit not
> set), and so correct behaviour is to discard (BIND will log a lame server
> message as well by default) these records.
Unfortunately, this is not quite true. Brad and Chris are right. I
couldn't believe it either, but after a long stare at BIND's is_lame
function, I have to agree with them.
BIND accepts non-authoritative answers if their additional section
looks a bit like a referral. I don't tink that this check is
deliberately lax, but stricter checks are simply harder to do on this
particular code path.
> If your recursive resolver doesn't discard these records, suggest
> you get one that works ;)
Which one would? Keep in mind that referrals do not have the AA bit
set, so a simple filter wouldn't work.
