how to protect name servers against cache corruption

• Previous message (by thread): how to protect name servers against cache corruption
• Next message (by thread): how to protect name servers against cache corruption
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ben Black writes:
> so a statement from paul that the internet is effectively broken until 
> DNSSEC is acceptable to you even if there are known ways to combat known 
> attacks?

I will be charitable and not comment on your ancestry or intelligence
at this time.

I will only say that there *are* no ways to combat the attacks Paul is
speaking of. All the attacks that can be defended against without
DNSSEC are properly handled by Bind 8.1.1. The attacks that cannot be
stopped can't be stopped, period. Paul didn't design the DNS and
you don't get to change history to fix existing problems after the fact.

What we should be doing is deploying DNSSEC, of course. If people
would donate sufficient funds to ISC I suspect that would happen
faster -- as it stands, Paul develops BIND out of money from his own
pocket, and I don't get the impression he's drowning in cash.

> stop worshipping long enough to think about the ramifications of this.

The major ramification appears to be that you don't have the sense to
keep from speaking about topics you don't understand. This is an ever
so common failing.

Perry

• Previous message (by thread): how to protect name servers against cache corruption
• Next message (by thread): how to protect name servers against cache corruption
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]