A domain-name system (DNS) programmer proposed on Wednesday that the addition of a single character to the popular BIND name server software could severely limit cache poisoning attacks, such as those described by researcher Dan Kaminsky.

By changing a '<' to '<=' in a trust check in the Berkeley Internet Name Domain (BIND) server software, the patch would prevent a previously unknown server from poisoning the cache, unless the time to live (TTL) -- a limit on the age of a name server entry -- had expired. The suggestion -- made by Gabriel Somlo, a network architect with Carnegie Mellon University -- would make exploitation of name server caches more difficult.

However, the "one-character patch" also has some serious side effects, Dan Kaminsky, director of penetration testing for IOActive, said in an e-mail interview with SecurityFocus. Some major hosts have no TTLs or very low TTLs and, for those servers, you gain very little, he said. Other hosts have very high TTLs, he added.

"If we can't override them -- can't override high TTLs -- those sites go down for a very long time," Kaminsky said. "You don't get to fix DNS by breaking it. People will just not deploy your patch."

In July, an alliance of software makers and infrastructure providers revealed the existence of a major flaw -- found by Kaminsky -- in the domain-name system (DNS). The flaw could allow an attacker the ability to redirect victim's from trusted Web sites, such as those of banks, to fake sites. One researcher's theorizing on the nature of the flaw led to most of the details of the issue leaking out less than two weeks later. Last week, the White House sent out a memo to the chief information officers at major agencies, mandating that they move to a complex security solution, known as DNS Security (DNSSEC), by December 2009.

Somlo's "one-character patch" has received some attention -- most notably from an uncritical Slashdot post. Yet, the computer scientist had merely proposed the change on a mailing list for BIND users, asking for feedback.

Somlo responded over the weekend to this article and to posts published by Kaminsky on his Web site, adding that his proposed patch is not intended to be a comprehensive fix for DNS.

"I never set out to fix the many fundamental issues with DNS that Dan -- and others -- are hard at work addressing," Somlo said in an e-mail interview with SecurityFocus. "The only thing my patch is intended to do is to mitigate against the latest exploit -- as presented by Dan at BlackHat -- namely the additional advantage it gives attackers by allowing them to control when and how frequently they may attempt to spoof a caching server. I believe my patch to be adequate for its stated purpose, and that it should be offered as a configuration option to BIND."

If you have tips or insights on this topic, please contact SecurityFocus.

UPDATE: This article was updated on Tuesday, September 2, to reflect the responses to an e-mail interview sent to SecurityFocus late Friday.