1. Ghost Domain Names

The exploit was presented at the NDSS conference: "Ghost Domain Names: Revoked Yet Still Resolvable" http://www.internetsociety.org/events/ndss-symposium-2012/symposium-program/feb08

"exploits a vulnerability in DNS cache update policy, which prevents effective domain name revocation. Attackers could cause a malicious domain name to be continuously resolvable even after the delegated data has been deleted from the domain registry and after the TTL associated with entry supposedly expires."

http://www.cs.indiana.edu/classes/b649-gupt/kangLiNDSS12.pdf

An attacker can extend the TTL (time-to-live) value of the cached delegation data,
therefore keeping a malicious domain (such as phishing.com) continuously resolvable.

The attacker first changes the NS record of phishing.com to a new name, say ns1.phishing.com,
then queries the victim resolver for the A record of ns1.phishing.com.
Based on the cached, non-expired delegation data of phishing.com,
the victim resolver learns and contacts the authoritative server of phishing.com,
and receives a response, such as:

/slide

2. discussion

/discussion


だいぶ前から知られていたらしい。

http://www.cs.uoregon.edu/Activities/talks/20111122-Duan.php

3. twitter

まともなコメントはすくない。JPRSの中の人は火消しに努めている。特にBINDを守ろう賭していた。

4. ISC

https://www.isc.org/software/bind/advisories/cve-2012-1033

Ghost Domain Names: Revoked Yet Still Resolvable

After completing our analysis of the DNS exploit reported by Professor Haixin Duan of Tsinghua University,
ISC has determined that the behavior he describes, while verifiable, is due to design issues in the DNS protocol.

No immediate steps are planned to address the issue.
Further information concerning the implications of the reported vulnerability can be found in the complete problem description below.
CVE: 
CVE-2012-1033
Versions affected:  All versions of BIND 9
Severity:  High
Exploitable: remotely

意訳:

The behavior in question arises from a side-effect of design decisions in the DNS protocol.
It is not caused by a bug in BIND or other affected software.
BIND and other software affected by this behavior are so affected because of the inherent, longstanding design of the DNS protocol.

ISCが公開したもの: https://www.isc.org/files/imce/ghostdomain_camera.pdf

5. 日本での様子

https://jvn.jp/cert/JVNVU542123/

DNS キャッシュサーバが保持しているリソースレコードを、
上位ドメインの権威サーバが設定した time-to-live (TTL) の値を超えて保持してしまう問題

どこかで見た記憶のある文章だ。しかも、説明としては間違いだし。

この間違いを繰り返すinternet watch (impress) の記事。 -- ToshinoriMaeno 2012-02-11 11:34:02

6. 名前

幽霊ドメインと呼び始めたようだが、ゾンビドメインとか、黒ドメインの方がよいと思う。