Home page logo

nanog logo nanog mailing list archives

Re: how to protect name servers against cache corruption
From: Ben Black <black () zen cypher net>
Date: Tue, 29 Jul 1997 22:13:38 -0400 (EDT)

i say again that although it cannot be made completely secure in the 
DNSSEC sense, it can absolutely be made far more resistant to some 
*known* attacks without significant code changes.


On Tue, 29 Jul 1997, Paul A Vixie wrote:

Let me put this another more interesting and more direct way.

Postulate a name server with the following properties:

      1. Actually works on and is connected to the live Internet.
      2. RFC compliant except as nec'y to comply with #1 above.
      3. No DNSSEC, no TSIG, no SECUPD.
      4. Completely bug free.

You go right ahead and build that name server, and I will drive a truck,
no, better still a bus or even a backhoe, right through its front window.

DNS is not secure and cannot be made so.  BIND-8.1.1 is the best there is,
and it's what you should run, but as long as you run DNS without DNSSEC,
your confidence level should be set accordingly.


BIND is definitely #1, is almost #2, is definitely #3, and trying to be #4.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]