MoinQ:

1. DNS/実装/BIND/歴史

The BIND 9 Security Vulnerability Matrix https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html

BINDがキャッシュ毒盛に正面から対応していないことが分かるはず。-- ToshinoriMaeno 2017-11-02 02:52:03

2. DNS/BINDの歴史

BIND が port ランダム化をどう扱かってきたかの歴史を示す記述です。

[http://it.slashdot.org/comments.pl?sid=947871&cid=24793785]

BIND has resisted port randomization because "the RFC said so" 
- never mind that they wrote the RFC, and that no clients bother checking.

Because it stopped spoofing attacks ten years ago, and it stops them today,
most DNS servers - including those derived from BIND- do this.

BIND also uses these very complicated credibility rules
for determining if it can override existing cache-knowledge.
This can presumably save one or two queries per dot,
but surely it would be safer to only cache answers to questions
that were asked. That is, by the way, what djbdns does.

Most DNS spoofing attacks can also be solved
by solving most blind spoofing attacks.

There's a little reluctance to do so,
because it makes things like DNSSEC largely obsolete for their intended audience.
As a result, we see a lot of chest thumping and stomping in the temper tantrum.
You can tell when you're about to get into one because they start by saying
"If we just switched to DNSSEC by now, we wouldn't be having this problem."

Of course, since BGP peers now route-filter everywhere on the internet
(they didn't used to!), mandatory source filtering is
a completely possible and realistic way
to stop this and other similar problems...

そのあと: /場当たり的対応