|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: how to protect name servers against cache corruption
i say again that although it cannot be made completely secure in the DNSSEC sense, it can absolutely be made far more resistant to some *known* attacks without significant code changes. ben On Tue, 29 Jul 1997, Paul A Vixie wrote: > Let me put this another more interesting and more direct way. > > Postulate a name server with the following properties: > > 1. Actually works on and is connected to the live Internet. > 2. RFC compliant except as nec'y to comply with #1 above. > 3. No DNSSEC, no TSIG, no SECUPD. > 4. Completely bug free. > > You go right ahead and build that name server, and I will drive a truck, > no, better still a bus or even a backhoe, right through its front window. > > DNS is not secure and cannot be made so. BIND-8.1.1 is the best there is, > and it's what you should run, but as long as you run DNS without DNSSEC, > your confidence level should be set accordingly. > > PS: > > BIND is definitely #1, is almost #2, is definitely #3, and trying to be #4. >
|