Kaminsky's DNS hack

[fanf]

beezari posted a copy of the leaked Matasano explanation of Kaminsky's new DNS attack. I believe the explanation isn't quite right. In his interview in the WIRED Threat Level blog Kaminsky mentions that the attack relies on CNAMEs. This means that it does not depend on glue nor on additional section processing, which is what Matasano described. I believe the real explanation is...

$ md5 <~/doc/kaminsky
ef96f2d9e973a36e825793ddeff48ae5

Comments

[mas90.livejournal.com]

If I were to tweak the Matasano explanation to be more interesting, I'd say in the last-but-one paragraph that Mallory doesn't reply "CXOPQ.VICTIM.COM A 6.6.6.0", she instead replies "CXOPQ.VICTIM.COM CNAME WWW.VICTIM.COM.", with an additional RR "WWW.VICTIM.COM A 6.6.6.0".

If I understand correctly, that is definitely in-bailiwick since the additional RR is for the answer to the original query (it's equivalent to the normal use of additional RRs for NS glue) and will successfully poison Alice's cache for WWW.VICTIM.COM.

I don't expect you can confirm nor deny that this is what Kaminsky is getting at if you're in possession of the canonical explanation however :-P

[fanf]

I don't have the canonical explanation. All I have in addition to the above links is a post by Florian Weimer on the namedroppers list which also mentions CNAME. (Florian has known the details for months.)

Your description of the attack agrees with mine. The interesting bit is why CNAME is necessary, and additional RRs aren't enough.