Maintained by: NLnet Labs

[Unbound-users] Increase RRset poisoning resistance

Ondřej Surý
Tue Aug 12 00:38:48 CEST 2008


> 1. "poison a single address record" attack.
>
> This is when an attacker tries to match the qid/port of a request. This is
> clearly is not an issue with unbound, which is well designed in
> terms of randomness, and has first-rate test results; e.g.
>
>  <https://www.dns-oarc.net/oarc/services/porttest> )

Argh, not again...  Kaminsky-style attack is not about port randomization.
Read his papers from doxpara.com...   It's just much more easier to poison
cache if you don't do random ports.

> Suggestion: That unbound incorporate additional logic to defend against a
> "poisoned authority record" attack - logic in addition to its superior
> port/qid randomization?
>
> This additional logic is: that an exact match, not merely an "in-bailiwick"
> match be required before unbound would accept glue/RR record additions or
> updates.
>
> It seems to me that little harm would result if unbound were instructed
> to accept glue/RR records only from *exact* matches, and not from *inexact*,
> but in-bailiwick authority records.

"seems to" and "little harm" are really dangerous words in context of DNS.
There are lot of servers in the wild which doesn't do the right thing, there
is a lot of inconsistencies in DNS data and that "little harm" you are speaking
about could cause severe damage.

But I think this is not right place to discuss that.  This issue is
spreads across
platforms and servers and the right place (or just better place) to
discuss this is
namedroppers list (mailling list of dnsext working group @ ietf).  And
you should
probably start by reading archives before making suggestions, so you
are not rehashing
issues already discussed.

Ondrej.
-- 
Ondřej Surý <ondrej at sury.org>