"Thomas H. Ptacek" writes:
No, it *is* immune to all variants on *THAT* attack. It isn't immune to other sorts of attacks.
I think you are speaking in fairly blatant factual error here, or we are in micommunication with respect to the meaning of the word "variant".
No, my facts here are more or less accurate. Eugene's attack was very crude. He just put some bogus NS records into his alternic.net zone so that queries for www.alternic.net would pick up those bogus servers and their associated A records. His "sophisticated hack" consisted of typing "dig @victim -t a www.alternic.net", or something like it. I did tcpdumps of his "attack" in progress when he hit my machines so I have logs of what he did, not that they are very interesting. An attack like this, done just by putting bogus data into your DNS boot files in a similar manner, isn't going to work against the latest versions of BIND -- indeed, none of the reasonable "variants" on the attack would work, either. There *are* attacks that will work against the BIND 8.1.1, but they require that you actually learn how to program in C and do something active, and they won't do for you what one of Eugene's hacks did. I'm sure our friends at 2600 will be publishing them any day, but really, there isn't much to be done about them other than implementing DNSSEC. Perry