Questions:
(1) It looks to me like if the ghost name is in our DNS RPZ zone, then that 'fixes' the problem for that name. Is this correct? (2) It also looks like restarting bind flushes the cache and that prevents the repopulation of the local cache with names which are ghosts (new different ghost names could, of course, be created). Is this correct? Thanks, John ------------------------------------------------------------------------------- John Hascall, j...@iastate.edu Team Lead, NIADS (Network Infrastructure, Authentication & Directory Services) IT Services, The Iowa State University of Science and Technology > In <https://www.isc.org/software/bind/advisories/cve-2012-1033>, ISC > writes: > > > ISC continues to recommend that organizations with security needs > > who are reliant on the Domain Name System proceed with adoption of > > DNSSEC; DNSSEC is the best known method of mitigating this issue. > > But ISC provides no details about *how* exactly DNSSEC will solve the > problem. I'm puzzled. In the ghost domain names attack, the child zone > is controlled by the bad guy, who wants the domain to stick. So, he > will certainly not sign it. Unless you make DNSSEC mandatory, how will > you solve the ghost domain problem with DNSSEC? If the resolver is > sticky (will not go to the parent to ask the NS RRset), it won't check > the NSEC at the parent either... > > Is it because the resolver, even if sticky, re-queries the parent when > the negative TTL of the (missing) DS records ends? And chokes when it > receives back a NXDOMAIN? > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users