For more than a year now I’ve heard lots of people in the Internet industry proclaiming DNSSEC (DNS Security Extensions) as the long-term solution to DNS cache poisoning vulnerabilities.
That may not necessarily be the case.
A new vulnerability is now out that attacks DNS servers WITH DNSSSEC installed.
In the summer of 2008, security researcher Dan Kaminsky made the whole world aware of potential security issues with DNS, which could have undermined the integrity of the Internet itself. DNSSEC is supposed to be answer, with most of the world’s major Internet registries moving to implement the technology.
So what’s up with this new attack? For one, it specifically deals with the ISC BIND 9 DNS server which is widely deployed.
“A nameserver with DNSSEC validation enabled may incorrectly add records
to its cache from the additional section of responses received during
resolution of a recursive client query,” the security advisory from ISC states. “This behavior only occurs when
processing client queries with checking disabled (CD) at the same time
as requesting DNSSEC records (DO).”
So to recap. DNSSEC, the same tech that is supposed to help prevent DNS cache poisoning could itself be poisoned in certain circumstances.
