Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Security

Submission + - Kaminsky DNS Bug Fixed by Single Character Patch?

An anonymous reader writes: According to this thread on the bind-users mailing list ( http://marc.info/?t=121981071400003 ) there is nothing inherent in the DNS protocol that would cause the massive vulnerability discussed at length here and elsewhere.

As it turns out, it appears to be a simple off-by-one error in BIND, which favors new NS records over cached ones (even if the cached TTL is not yet expired). The patch changes this in favor of still-valid cached records, removing the attacker's ability to succesfully poison the cache outside the small window of opportunity afforded by an expiring TTL, which is the way things used to be before the Kaminsky debacle.

Source port randomization is nice, but removing the root cause of the attack's effectiveness is better...

Slashdot Top Deals

Elegance and truth are inversely related. -- Becker's Razor

Working...