Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security

Submission + - Kaminsky DNS Bug Fixed by Single Character Patch?

An anonymous reader writes: According to this thread on the bind-users mailing list ( http://marc.info/?t=121981071400003 ) there is nothing inherent in the DNS protocol that would cause the massive vulnerability discussed at length here and elsewhere.

As it turns out, it appears to be a simple off-by-one error in BIND, which favors new NS records over cached ones (even if the cached TTL is not yet expired). The patch changes this in favor of still-valid cached records, removing the attacker's ability to succesfully poison the cache outside the small window of opportunity afforded by an expiring TTL, which is the way things used to be before the Kaminsky debacle.

Source port randomization is nice, but removing the root cause of the attack's effectiveness is better...

Slashdot Top Deals

"Remember, extremism in the nondefense of moderation is not a virtue." -- Peter Neumann, about usenet

Working...