Stories
Slash Boxes
Comments
typodupeerror delete not in
  • Preferences

+-   Kaminsky DNS Bug Fixed by Single Character Patch? on Thursday August 28 2008, @06:58AM Anonymous Coward

Submitted by Anonymous Coward on Thursday August 28 2008, @06:58AM
security
An anonymous reader writes "According to this thread on the bind-users mailing list ( http://marc.info/?t=121981071400003 ) there is nothing inherent in the DNS protocol that would cause the massive vulnerability discussed at length here and elsewhere.

As it turns out, it appears to be a simple off-by-one error in BIND, which favors new NS records over cached ones (even if the cached TTL is not yet expired). The patch changes this in favor of still-valid cached records, removing the attacker's ability to succesfully poison the cache outside the small window of opportunity afforded by an expiring TTL, which is the way things used to be before the Kaminsky debacle.

Source port randomization is nice, but removing the root cause of the attack's effectiveness is better..."
submission
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Kaminsky DNS Bug Fixed by Single Character Patch? 0 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
Search
I've run DOOM more in the last few days than I have the last few months. I just love debugging ;-) (Linus Torvalds)

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.