DNS hardening, was Re: Dan Kaminsky

John R. Levine johnl at iecc.com
Wed Aug 5 19:23:00 UTC 2009


> 3 works, but offers zero protection against 'kaminsky spoofing the
> root' since you can't fold the case of "123456789.". And the root is
> the goal.

Good point.

5) Download your own copy of the root zone every few days from 
http://www.internic.net/domain/, check the signature if you can find the 
signing key for 289FE7AD, and use that rather than the public roots.

6) EDNS0 PING, if you think anyone else will implement it

R's,
John




More information about the NANOG mailing list