On Tue, Sep 02, 2008 at 02:10:12PM -0700, =?BIG5?B?SklOTUVJIFRhdHV5YSAvIK+rqfq5Rqt2IDxKaW5tZ WlfVGF0dXlhQGlzYy5vcmc+?= wrote:
> No, the presence of an A record simply means the attack is not
> effective until the A record expires (the attack itself succeeds
> anytime unless the server also caches www.cnn.com./NS, which is very
> unlikely). When "it gets renewed again", the server is already
> poisoned with the forged NS, and it will be poisoned with a forged A
> record by the forged NS.

Just shooting from the hip here, but what if we made it a rule to
never cache an NS record for longer than an existing, identically
named A record ?