Re: Multiple DNS implementations vulnerable to cache poisoning

• From: Christopher Morrow
• Date: Thu Jul 10 11:09:03 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

On Thu, Jul 10, 2008 at 10:22 AM, Wes Hardaker <[email protected]> wrote:
>>>>>> On Wed, 9 Jul 2008 22:55:05 -0400, "Christopher Morrow" <[email protected]> said:
>
>>>> aside from just getting some cctlds signed, i will be interested in the
>>>> tools, usability, work flow, ...  i.e. what is it like for a poor
>>>> innocent cctld which wants to sign their zone?
>>>
>>> If there is sufficient interest, we could do a bar bof to describe some of
>>> the tools IANA has...
>>>
>
> CM> I think Sandy Murphy or other Sparta folks have presented some of the
> CM> work they've done on this... Perhaps finding one/some of them and
> CM> having a more operations focused presentation in LAX or ... is a good
> CM> idea as well?
>
> The tools that Sparta developed (and made freely available via an open
> source packaged that is BSD licensed) can be found at
> http://www.dnssec-tools.org/ .  In particular, signing a zone is

yup, and that's helpful stuff.

> intended to be easy using "zonesigner" (requires bind tools):
>
>  zonesigner -genkeys db.example.com
>

great... what about a zone that's getting slaved off of a silent
master at the customer site? how does that get integrated? (customer
does the dns-sec magic, my server validates the updates... config
examples help here)

> Then next time, just leave off the -genkeys argument.
>
> (there is also a daemon called "rollerd" that can auto-sign on a regular
> basis and help automate key-rollever timing)
>

nice, extra load induced on server? impact on the number of zones I
can serve? tinydns compatible? db-backended NS daemon support?

> The full list of tools and tutorials sectioned into different needs can
> be found here:
>
>  http://www.dnssec-tools.org/wiki/index.php/Tutorials
>

great :)

>
> All for free.  Don't you hate those ??biased??, freely-available,
> source-code-supplied-so-you-can-change-it, BSD-licensed open source
> packages?
> --

I like free... as long as it's the hammer I need for the nails I have.

-Chris

• References:
  • Multiple DNS implementations vulnerable to cache poisoning Buhrmaster, Gary
  • Re: Multiple DNS implementations vulnerable to cache poisoning Steven M. Bellovin
  • Re: Multiple DNS implementations vulnerable to cache poisoning Christopher Morrow
  • Re: Multiple DNS implementations vulnerable to cache poisoning David Conrad
  • Re: Multiple DNS implementations vulnerable to cache poisoning Randy Bush
  • Re: Multiple DNS implementations vulnerable to cache poisoning David Conrad
  • Re: Multiple DNS implementations vulnerable to cache poisoning Randy Bush
  • Re: Multiple DNS implementations vulnerable to cache poisoning David Conrad
  • Re: Multiple DNS implementations vulnerable to cache poisoning Christopher Morrow

• Prev by Date: Big delays at Sprint or Verizon network?
• Next by Date: Independent Testing for Network Hardware
• Date Index
• Thread Index
• Author Index
• Historical