So, there is a possible solution for the Kaminsky's bug and it cames as an one-character patch.
Doing the record Authoritative nameserver on cache prevails from the new one spoofed by the attacker makes the time window for the succeed to be just until the real NS Answer arrives, basically almost impossible, one shot or two depending the bandwidth.
Personally i don´t see why it's shouldn't be like this but the question is, does RFC mention how should the behavior be? Perhaps the all world miss the point of the real problem. Random src ports only makes the attack less probably with the increase of 32 bits guesses, this patch really fix it.
"you can't fire me cuz i quit"
View Comments
Possible fix for Kaminsky's bug
Fri Aug 29 15:13 2008
Fri Aug 29 17:37 2008
Fri Aug 29 18:46 2008
I had already read it and i don´t agree :)
With the patch there are a configuration problem if the sysadmin put a high TTL value for the NS record, but not a protocol flaw.
It's funny how he talks about destroy DNS, and than gives attacks examples that the patch doesn't fix but its because of software and CNN configuration that breaks the protocol.
And he forget to do the maths without the patch, which it's an infinity time window and infinity packets.
Why should the A records have TTL of 30s and the NS's TTL weeks? Am i missing something here?
With the patch there are a configuration problem if the sysadmin put a high TTL value for the NS record, but not a protocol flaw.
It's funny how he talks about destroy DNS, and than gives attacks examples that the patch doesn't fix but its because of software and CNN configuration that breaks the protocol.
And he forget to do the maths without the patch, which it's an infinity time window and infinity packets.
Why should the A records have TTL of 30s and the NS's TTL weeks? Am i missing something here?
