Kaminsky's DNS flaw accidently leaked

The details of Kaminsky's DNS Cache Poisoning flaw were accidently leaked yesterday. While a lot of speculation, most notably Halvar Flake's had come close, there had been no official confirmation of all the details of the flaw. While the post was hastily removed, a number of readers had cached copies.

Anyways, to summarize -
1. DNS uses a 16-bit Transaction ID (TxID). This can be brute forced by an attacker who keeps sending an incorrect address for a domain to the nameserver that initiated the query. If the TxID matches, the cache of that DNS server is poisoned and all subsequent requests to that namesever return the incorrect address. This is not that easy to implement in DNS servers like djbdns which use source port randomization.

2. When a DNS server returns the address for the requested domain, it also returns an additional RR with the malicious data which replaces the correct data in the cache. This is prevented by the fact that the requesting server remembers the domain that it has requested an address for, and does not update its cache for any unrelated domains in the same query.

Kaminsky's vulnerability uses a combination of both these attacks. The attacker sends a stream of responses for the subdomain of the domain that he wishes to poison; i.e. - if he wishes to poison the cache for xyz.com, he sends aaaa.xyz.com, aaab.xyz.com and so on. He also sends an additional RR with a forged address for xyz.com. Sooner or later, the server will accept one of these responses, and the DNS cache is poisoned.