Home page logo

nanog logo nanog mailing list archives

Re: how to protect name servers against cache corruption
From: "Perry E. Metzger" <perry () piermont com>
Date: Tue, 29 Jul 1997 22:13:23 -0400

Paul has made it clear that there are holes in the DNS protocols that
cannot be fixed without DNSSEC. He isn't papering anything over -- he
is merely describing reality. If you want to be sarcastic to him for
doing his best and being honest in public, well, that's fine, but
frankly I think you are doing the community a serious disservice by
attacking Paul.


"Thomas H. Ptacek" writes:
BIND 4.9.6 and 8.1.1 are immune to all known attacks, including the one

[ splice ]

I know of attacks we are not immune to, which cannot be stopped without

Um. I hate to play semantic games, but if you know of attacks that BIND
8.1.1 is not immune to, then BIND 8.1.1 is not immune to all known

Since this is not a security list, I'll refrain from (rhetorically)
informing you that history doesn't back up your assertion of the existence
of "holes that only the good guys know".

Oops. Sorry about that.

Thanks for clearing this up!

Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com]
"If you're so special, why aren't you dead?"

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]