At Tue, 2 Sep 2008 16:51:55 -0400,
"L. Gabriel Somlo" wrote:

> > Of course, if the recursive server has cached a valid,
> > the result of the attack won't be effective until it expires. But
> > once it expires, the attacker gets the full control of it and keeps
> > the situation as long as they want. (This is different from how the
> > TTL matters in the traditional brute force attacks).

> I tried that, and it doesn't work if the victim server already has an

I also tried that successfully. What exactly did you try, and how
didn't it work?

> A record for cached. The attack you described relies on
> there being nothing in the cache for The presence of an A
> record means the attack must succeed before the valid A record gets
> cached or wait until after it expires and before it gets renewed again.

No, the presence of an A record simply means the attack is not
effective until the A record expires (the attack itself succeeds
anytime unless the server also caches, which is very
unlikely). When "it gets renewed again", the server is already
poisoned with the forged NS, and it will be poisoned with a forged A
record by the forged NS.

JINMEI, Tatuya
Internet Systems Consortium, Inc.