## page was renamed from DNS/キャッシュ毒盛/RFC2181脆弱性
## page was renamed from DNS/キャッシュ毒盛/脆弱性
## page was renamed from DNS/キャッシュサーバ毒盛/脆弱性
## page was renamed from DNS/毒盛/脆弱性
## page was renamed from DNS/毒盛の脆弱性
== DNS/毒盛の脆弱性 ==
現在の DNS の最大の問題は偽サーバへの誘導である。
  NS レコードあるいは glue (A) レコードが攻撃の目標であり、
  これらを防御することに最大の努力をする必要があるのだが、...

[[DNS/リゾルバー/RFC2181ランキング再考]]

RFC 2181 Clarifications to the DNS Specification より
  5.4. Receiving RRSets
    5.4.1. Ranking data
{{{
   The accuracy of data available is assumed from its source.
   Trustworthiness shall be, in order from most to least:

     + Data from a primary zone file, other than glue data,
     + Data from a zone transfer, other than glue,
     + The authoritative data included in the answer section of an authoritative reply.
     + Data from the authority section of an authoritative answer,
     + Glue from a primary zone, or glue from a zone transfer,
     + Data from the answer section of a non-authoritative answer, and
       non-authoritative data from the answer section of authoritative answers,
     + Additional information from an authoritative answer,
       Data from the authority section of a non-authoritative answer,
       Additional information from non-authoritative answers.

   Unauthenticated RRs received and cached from the least trustworthy of
   those groupings, that is data from the additional data section, and
   data from the authority section of a non-authoritative answer, should
   not be cached in such a way that they would ever be returned as
   answers to a received query.
   They may be returned as additional information where appropriate.
   Ignoring this would allow the trustworthiness of relatively
   untrustworthy data to be increased without cause or excuse.
}}}

これでは glue レコードの扱いが十分とは言えない。

trustworthiness という提案はこれを実装しているはずの BIND 9 に
Kaminsky 攻撃が成立しているらしいので、
毒盛対策にならないことは示されているのだろう。