Mukund Sivaraman <m...@isc.org> wrote: > > There's an attempt to make it go one step further by refreshing whole > zones in the cache: > > https://github.com/muks/dnsrefresh > > It needs another section to be completed before upload, possibly in time > for IETF-97.
Oh dear, that is deeply problematic wrt DNSSEC. It allows an attacker to suppress modifications to a zone (i.e. prevent a cache from seeing changed records) by fiddling with the EDNS ZONE option in responses to queries from the cache. It's hard to fix this: even if you use the signed SOA RRset instead of the unsigned ZONESERIAL and ZONENAME in the ZONE option, an attacker can still replay old SOA records up to the signature expiry time, which frequently weeks in the future. Now, to be fair, DNSSEC already allows this kind of replay attack. But the ZONE option greatly magnifies the effect of a successful attack. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Northwest Fitzroy, Sole: Southwesterly 5 or 6, veering westerly or northwesterly 4 or 5 for a time. Moderate or rough. Rain or showers. Good, occasionally moderate. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
