This is a discussion on Re: Possible fix for Kaminsky's bug - DNS ; At Tue, 2 Sep 2008 16:51:55 -0400, "L. Gabriel Somlo" wrote: > > Of course, if the recursive server has cached a valid www.cnn.com/A , > > the result of the attack won't be effective until it expires. But > ...
At Tue, 2 Sep 2008 16:51:55 -0400,
"L. Gabriel Somlo"
> > Of course, if the recursive server has cached a valid www.cnn.com/A,
> > the result of the attack won't be effective until it expires. But
> > once it expires, the attacker gets the full control of it and keeps
> > the situation as long as they want. (This is different from how the
> > TTL matters in the traditional brute force attacks).
> I tried that, and it doesn't work if the victim server already has an
I also tried that successfully. What exactly did you try, and how
didn't it work?
> A record for www.cnn.com cached. The attack you described relies on
> there being nothing in the cache for www.cnn.com. The presence of an A
> record means the attack must succeed before the valid A record gets
> cached or wait until after it expires and before it gets renewed again.
No, the presence of an A record simply means the attack is not
effective until the A record expires (the attack itself succeeds
anytime unless the server also caches www.cnn.com./NS, which is very
unlikely). When "it gets renewed again", the server is already
poisoned with the forged NS, and it will be poisoned with a forged A
record by the forged NS.
Internet Systems Consortium, Inc.