[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security comments re draft-ietf-dnsext-unknown-rrs-00.txt

To: namedroppers@ops.ietf.org
Subject: Security comments re draft-ietf-dnsext-unknown-rrs-00.txt
From: Dennis Glatting <dennis.glatting@software-munitions.com>
Date: Fri, 15 Dec 2000 22:14:07 -0800
Delivery-date: Sat, 16 Dec 2000 05:56:25 -0800
Envelope-to: namedroppers-data@psg.com


One problem I have with this draft is blind Kashpureff attacks. One of
the reasons Kashpureff was successful is that implementations didn't
check returned data very hard, rather they simply cached it and passed
it on later. What this draft does, I believe, and regardless of
DNSsec, is make this kind of attack trivial again.

Additionally, I can imagine a cleverly crafted unknown RR type that
tickles an resolver implementation error, such as a buffer overrun or
an off-by-one error, for a given set of clients, such as a particular
unpatched version of Microsoft NT. Since a server simply passes data
on, then you have no hope of distinguishing between proper data and
bad data and protecting clients.


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Prev by Date: Re: Large Zone and DNSSEC
Next by Date: NO ROOT? (Re: Large Zone and DNSSEC)
Prev by thread: NO ROOT? (Re: Large Zone and DNSSEC)
Next by thread: Re: Security comments re draft-ietf-dnsext-unknown-rrs-00.txt
Index(es):
- Date
- Thread