1. DNS/毒盛の脆弱性

現在の DNS の最大の問題は偽サーバへの誘導である。

• NS レコードあるいは glue (A) レコードが攻撃の目標であり、 これらを防御することに最大の努力をする必要があるのだが、...

DNS/リゾルバー/RFC2181ランキング再考

RFC 2181 Clarifications to the DNS Specification より

• 5.4. Receiving RRSets
  • 5.4.1. Ranking data

   The accuracy of data available is assumed from its source.
   Trustworthiness shall be, in order from most to least:

     + Data from a primary zone file, other than glue data,
     + Data from a zone transfer, other than glue,
     + The authoritative data included in the answer section of an authoritative reply.
     + Data from the authority section of an authoritative answer,
     + Glue from a primary zone, or glue from a zone transfer,
     + Data from the answer section of a non-authoritative answer, and
       non-authoritative data from the answer section of authoritative answers,
     + Additional information from an authoritative answer,
       Data from the authority section of a non-authoritative answer,
       Additional information from non-authoritative answers.

   Unauthenticated RRs received and cached from the least trustworthy of
   those groupings, that is data from the additional data section, and
   data from the authority section of a non-authoritative answer, should
   not be cached in such a way that they would ever be returned as
   answers to a received query.
   They may be returned as additional information where appropriate.
   Ignoring this would allow the trustworthiness of relatively
   untrustworthy data to be increased without cause or excuse.

これでは glue レコードの扱いが十分とは言えない。

trustworthiness という提案はこれを実装しているはずの BIND 9 に Kaminsky 攻撃が成立しているらしいので、 毒盛対策にならないことは示されているのだろう。