Home page logo

nanog logo nanog mailing list archives

Re: how to protect name servers against cache corruption
From: Ben Black <black () zen cypher net>
Date: Tue, 29 Jul 1997 21:19:54 -0400 (EDT)

Noone in the security field has any right to expect any implementation of
DNS to be secure until DNSSEC is widely implemented.

this statement bothers me.  certainly without DNSSEC there can be no 
*assurances* of security, but there is a gaping chasm between the current 
system and DNSSEC that could be closed significantly with proper design.

simply stating that until DNSSEC arrives these attacks are going to be 
allowed is a copout.


I'm sorry if something I said misled you to believe otherwise.

So BIND 8.1.1 is NOT "immune" to the poisoned resource-record attack? I
ask because you specifically stated that it was. Sorry to nag, I'd just
like to see this clarified to the operations community.

Again, thanks for your time and patience!

Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com]
"If you're so special, why aren't you dead?"

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]