The claims that verifying DNSSEC caches can't be poisoned isn't true
after all.
On Tue, 19 Aug 2008, Masataka Ohta wrote:
> A property of Kaminsky's attack that it is effective against a single
> target is useful, here.
I don't know if anyone noticed, but in fact, according to RFC4035 the
delegation records and the glue records are not signed. A verifying
DNSSEC cache can be poised with bad glue records using the poisoning
attack, with only a slight change to the Kaminsky software.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
