[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Poison in a zone

To: "D. J. Bernstein" <djb@cr.yp.to>
Subject: Re: Poison in a zone
From: gson@nominum.com (Andreas Gustafsson)
Date: Mon, 24 Feb 2003 15:40:56 -0800 (PST)
Cc: iesg@ietf.org, namedroppers@ops.ietf.org
In-reply-to: <20030224040021.47335.qmail@cr.yp.to>
References: <20030223091513.85299.qmail@cr.yp.to><200302232128.h1NLS74U020848@drugs.dv.isc.org><20030224001809.72005.qmail@cr.yp.to><200302240239.h1O2dAh00524@guava.araneus.fi><20030224040021.47335.qmail@cr.yp.to>

D. J. Bernstein writes:
> Yes or no: Does the specific attack described on my web page work
> against BIND 9?

It does not.  BIND 9 is currently incapable of storing out-of-domain
glue records (i.e., records whose owner name is not a subdomain of the
zone apex), whether it is acting as a primary or a secondary.
Therefore, it will discard such records whether they are loaded from a
master file or received as part of a zone transfer.  This might be
considered either a security feature or a bug depending on your point
of view.

> > where the ISP is the *master* for the domains
> 
> Different situation, but same solution: discard all records outside the
> source's bailiwick. End of problem.

Yes, requiring all authoritative servers (masters and slaves) to
discard out-of-domain glue would solve the problem you described.  If
we do this, slaves to conformant masters will never actually discard
any records because anything that the slave would discard has already
been discarded by the master, and the integrity of the zone will be
preserved as required in axfr-clarify section 4.

> > more discriminate anti-spoofing rules
> 
> Namely? Exactly what would you suggest in place of the de-facto-standard
> bailiwick rule?

What Masataka Ohta suggested in August 2001:

 Ohta> I have been suggesting that these records be put in a referral-local
 Ohta> cache content of which is not used for usual A query nor glue A of
 Ohta> other referral points.

-- 
Andreas Gustafsson, gson@nominum.com

Follow-Ups:
- Re: Poison in a zone
  - From: "D. J. Bernstein" <djb@cr.yp.to>

References:
- update timing errors
  - From: "D. J. Bernstein" <djb@cr.yp.to>
- Re: update timing errors
  - From: Mark.Andrews@isc.org
- Re: update timing errors
  - From: "D. J. Bernstein" <djb@cr.yp.to>
- Poison in a zone
  - From: gson@nominum.com (Andreas Gustafsson)
- Re: Poison in a zone
  - From: "D. J. Bernstein" <djb@cr.yp.to>

Prev by Date: RE: draft-ietf-ptomaine-nopeer-01.txt
Next by Date: Re: "Stuckees?"
Previous by thread: Re: Poison in a zone
Next by thread: Re: Poison in a zone
Index(es):
- Date
- Thread