Wouldn't a behavior like this be able to be used to bring name servers down by simply killing CPU time?
Yes, and it's easier than killing CPU time; there's a targetted attack wherein I can pick a resource record and continuously throw forged responses for it, with bad query IDs, at a nameserver - that server is now unable to resolve requests for that record. And, of course, this ties in nicely with other unfixed servers, since, right now, any problem that allows me to prevent a BIND server from responding to queries will allow me to spoof anything it's authoritative for. Attack detection is a tool, not an answer. I'm curious as to why it hasn't been discussed further; it's certainly not MY idea, and it's certainly been talked about on other forums. There are other tools available as well. I suppose the point (right now) is that there are things that can be done to strengthen the current DNS protocol (as well as it's implementations) that won't break naieve servers and will make attacks far harder, even in the absence of DNSSEC. What do you think the timeline is on global deployment of DNSSEC? It's surprising to me that people aren't more concerned, in light of the fact that you've just been told flat out, by myself as well as by Mr. Vixie, that there are exploitable problems that can't be entirely fixed until the entire protocol is modified. I suppose the operations context to this is, "hey, you realize DNS is COMPLETELY BROKEN? What are your plans for dealing with the possibility of someone posting exploits?" Do we simply stop using DNS? ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "If you're so special, why aren't you dead?"