Leo Bicknell wrote:
If your vendor told you that you are not at risk they are wrong, and need to go re-read the Kaminski paper. EVERYONE is vunerable, the only question is if the attack takes 1 second, 1 minute, 1 hour or 1 day. While possibly interesting for short term problem management none of those are long term fixes. I'm not sure your customers care when .COM is poisoned if it took the attacker 1 second or 1 day.
EVERYONE with a CACHE MIGHT be vulnerable. Have studies been done to determine if existing cached records will be overwritten on ALL caching resolvers? Poisoning has always and will always be possible until DNSSEC, but the question isn't if you can poison a few off the wall records, but if you can poison the resolver in any meaningful way. If the cache isn't passively overwritten, then the only records you could poison would be records that aren't cached. The operational impact would be a much smaller scope. .COM will be cached constantly and to poison it, the attacker would have to forge the packet in the small window of cache expiry to renewal. This can be mitigated even more if sites give out auth on negative responses, which means for that specific domain, the attacker gets 1 shot to spoof and then the auth info is cached. Obviously there is a downside to sending larger packets, but that is a decision for the domain holder. I'll be happy to add DNSSEC to my operational list as soon as it's actually useful (other people can argue over who signs what). Jack