how to protect name servers against cache corruption

• Previous message (by thread): how to protect name servers against cache corruption
• Next message (by thread): how to protect name servers against cache corruption
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Sure, smart guy. And there are also issues with IP packets
> which are passed across untrusted nodes in the Internet.
> What exactly is your point?

Why are you asking me questions after having placed me in your killfile?

To answer your question briefly: there are fixes for both the poisoned-RR
problem (extensive validity checking and non-caching cut-through
responses), as explained by Johannes Erdfelt, and there are fixes for the
guessable-ID problem (randomized query IDs backed up by server-survival
assurances using "cookie" queries, along with a attack detection mechanism
that reduces the entire problem to a denial-of-service attack). Neither of
these involve DNSSEC.

You are being told that the Internet is essentially broken until DNSSEC is
implemented. Some people feel this is not the case. I am one of them. You
have my apologies if my means of expressing this seem unacceptable to you.

Thanks for taking the time to write!

----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf at enteract.com]
----------------
"If you're so special, why aren't you dead?"

• Previous message (by thread): how to protect name servers against cache corruption
• Next message (by thread): how to protect name servers against cache corruption
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]