DNSSEC under attack?
For more than a year now I've heard lots of people in the Internet industry proclaiming DNSSEC (DNS Security Extensions) as the long-term solution to DNS cache poisoning vulnerabilities.
That may not necessarily be the case.
A new vulnerability is now out that attacks DNS servers WITH DNSSSEC installed.
So what's up with this new attack? For one, it specifically deals with the ISC BIND 9 DNS server which is widely deployed.
"A nameserver with DNSSEC validation enabled may incorrectly add records
to its cache from the additional section of responses received during
resolution of a recursive client query," the security advisory from ISC states. "This behavior only occurs when
processing client queries with checking disabled (CD) at the same time
as requesting DNSSEC records (DO)."
So to recap. DNSSEC, the same tech that is supposed to help prevent DNS cache poisoning could itself be poisoned in certain circumstances.