North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: off-topic (Re: how to protect name servers against cache corruption )
well, the router comment wasn't mine so i don't think it really needs explanation. as for the childish attempt to imply that somehow the statement of a problem is tantamount to insanity, well...i guess i thought you could do better. there *is* a problem with query ID spoofing, as you have known for years, *but* there is a way to significantly harden a nameserver against this sort of attack *without* going against RFC and without rewriting it in C++ with the help of Jim Phlegming. i did not come up with the algorithm to win the spoof race, so i will leave that in the capable hands of tom ptacek. ben ps - perry, you can get off your knees now. On Tue, 29 Jul 1997, Paul A Vixie wrote: > if you want to know how to configure your router, hit "D" now. > > > > > Noone in the security field has any right to expect any implementation of > > > > DNS to be secure until DNSSEC is widely implemented. > > > > this statement bothers me. certainly without DNSSEC there can be no > > *assurances* of security, but there is a gaping chasm between the current > > system and DNSSEC that could be closed significantly with proper design. > > please explain further. perhaps i've been in this trench too long, i'm > just not getting what you mean. (how do i configure my router for that?) > > > simply stating that until DNSSEC arrives these attacks are going to be > > allowed is a copout. > > better yet, send diffs. perhaps the bind-workers group are all idiots and > this could actually be done better if we'd just rewrite it all in C++. jim > fleming keeps saying that that's the problem. perhaps you and he could work > together on a robust replacement for BIND. >
|