DNS hardening, was Re: Dan Kaminsky
John R. Levine
johnl at iecc.com
Wed Aug 5 19:23:00 UTC 2009
> 3 works, but offers zero protection against 'kaminsky spoofing the
> root' since you can't fold the case of "123456789.". And the root is
> the goal.
Good point.
5) Download your own copy of the root zone every few days from
http://www.internic.net/domain/, check the signature if you can find the
signing key for 289FE7AD, and use that rather than the public roots.
6) EDNS0 PING, if you think anyone else will implement it
R's,
John
More information about the NANOG
mailing list