In article <199707301403.KAA08865@jekyll.piermont.com>, you wrote:
Oh, beautiful. I'd love a tool like that -- it would give me a way of forcing copies of BIND that had been rigged not to accept arbitrary
I'm sorry I'm not being more clear about this, but I figured the word "re-issued" would convey the point. I will reiterate clearly: BIND, upon detecting forged responses to an OPEN QUERY, INVALIDATES the old query (which currently means taking the query's ID off the list of in-use query IDs) and initiates a NEW query. BIND, upon receiving a response to a query that isn't even open, logs and ignores the packet.
outside queries to make queries of my choice. Were I a systems cracker, I would love such a tool. I can think of some other mean hacks I could do with that facility, too.
Well, it's a good thing nobody has proposed that "tool".
The problem is not a lack of "clever hacks". The problem is a lack of security in the DNS protocols without DNSSEC.
The problem is that DNSSEC is not going to happen within the next 3 months; what are people running production networks using the old protocols going to do until it IS completely available? Put more directly: if I publish an exploit for a problem in the DNS protocol that cannot be fixed completely without DNSSEC, /What do you do/? You operate a highly available network used by thousands of customers daily, all of whom are angrily calling and asking why they're seeing PORN when they fire up their copy of Netscape, which happily resolves HOME.NETSCAPE.COM to WWW.PORNSHOP.COM. Remember, this is a problem that can't be fixed without a globally-deployed protocol re-vamp. What do you do? -- ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ));