1. DNS/毒盛の脆弱性
現在の DNS の最大の問題は偽サーバへの誘導である。
- NS レコードあるいは glue (A) レコードが攻撃の目標であり、 これらを防御することに最大の努力をする必要があるのだが、...
RFC 2181 Clarifications to the DNS Specification より
- 5.4. Receiving RRSets
- 5.4.1. Ranking data
The accuracy of data available is assumed from its source.
Trustworthiness shall be, in order from most to least:
+ Data from a primary zone file, other than glue data,
+ Data from a zone transfer, other than glue,
+ The authoritative data included in the answer section of an authoritative reply.
+ Data from the authority section of an authoritative answer,
+ Glue from a primary zone, or glue from a zone transfer,
+ Data from the answer section of a non-authoritative answer, and
non-authoritative data from the answer section of authoritative answers,
+ Additional information from an authoritative answer,
Data from the authority section of a non-authoritative answer,
Additional information from non-authoritative answers.
Unauthenticated RRs received and cached from the least trustworthy of
those groupings, that is data from the additional data section, and
data from the authority section of a non-authoritative answer, should
not be cached in such a way that they would ever be returned as
answers to a received query.
They may be returned as additional information where appropriate.
Ignoring this would allow the trustworthiness of relatively
untrustworthy data to be increased without cause or excuse.これでは glue レコードの扱いが十分とは言えない。
trustworthiness という提案はこれを実装しているはずの BIND 9 に Kaminsky 攻撃が成立しているらしいので、 毒盛対策にならないことは示されているのだろう。