Home page logo

nanog logo nanog mailing list archives

off-topic (Re: how to protect name servers against cache corruption )
From: Paul A Vixie <vixie () vix com>
Date: Tue, 29 Jul 1997 18:23:38 -0700

if you want to know how to configure your router, hit "D" now.
Noone in the security field has any right to expect any implementation of
DNS to be secure until DNSSEC is widely implemented.

this statement bothers me.  certainly without DNSSEC there can be no 
*assurances* of security, but there is a gaping chasm between the current 
system and DNSSEC that could be closed significantly with proper design.

please explain further.  perhaps i've been in this trench too long, i'm
just not getting what you mean.  (how do i configure my router for that?)

simply stating that until DNSSEC arrives these attacks are going to be 
allowed is a copout.

better yet, send diffs.  perhaps the bind-workers group are all idiots and
this could actually be done better if we'd just rewrite it all in C++.  jim
fleming keeps saying that that's the problem.  perhaps you and he could work
together on a robust replacement for BIND.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]