© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
@Florian: re
> I would expect that some resolvers use the name server A record from glue. Then the attacker can serve a zone with a non-minimal reply which overrides the entire zone NS RRset.
The attacker will have no control of the choice of minimal or non-minimal replies, as the provider will make this configuration change on their nameservers. At this point, Designate and the Designate managed nameservers have resolved this issue. If an attacker sets up their own nameserver with "forged" or otherwise invalid information we're entering the world of standard DNS caching poisoning, which there's zero we can do about. e.g. I can setup a nameserver for "foo.com.", entice lots of users towards it, and serve "1.1.1.1 IN A ns1.google.com." as an additional, but due to the 99% or more of resolvers implementing protection from this, I won't be hijacking google :)
I've attached another patch to the docs, and a rendered screenshot.