Home page logo

nanog logo nanog mailing list archives

Re: how to protect name servers against cache corruption
From: "Thomas H. Ptacek" <tqbf () enteract com>
Date: Tue, 29 Jul 1997 21:51:23 -0500 (CDT)

Sure, smart guy. And there are also issues with IP packets
which are passed across untrusted nodes in the Internet.
What exactly is your point?

Why are you asking me questions after having placed me in your killfile?

To answer your question briefly: there are fixes for both the poisoned-RR
problem (extensive validity checking and non-caching cut-through
responses), as explained by Johannes Erdfelt, and there are fixes for the
guessable-ID problem (randomized query IDs backed up by server-survival
assurances using "cookie" queries, along with a attack detection mechanism
that reduces the entire problem to a denial-of-service attack). Neither of
these involve DNSSEC.

You are being told that the Internet is essentially broken until DNSSEC is
implemented. Some people feel this is not the case. I am one of them. You
have my apologies if my means of expressing this seem unacceptable to you.

Thanks for taking the time to write!

Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf () enteract com]
"If you're so special, why aren't you dead?"

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]