how to protect name servers against cache corruption

• Previous message (by thread): how to protect name servers against cache corruption
• Next message (by thread): how to protect name servers against cache corruption
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jul 29, 1997 at 09:55:48PM -0500, Thomas H. Ptacek wrote:
> What I am asserting to you is that there are variants on this attack which
> are not currently fixed by BIND 8.1.1. On a related note, there are things
> that can be done to strengthen DNS implementations (such as BIND) against
> these attacks that do not involve DNSSEC. 

(This being still basically on-topic as it relates to the security of
a critical component..)

Would either you or Ben Black please give an example of a change that
fits the characteristics you have described?  I see a lot of "Yes it
can.  No it can't.  Yes it can." but nobody has actually supplied any
_details_.  Paul has written papers on DNS security, along with BIND
itself, and I'm inclined to believe him when he says there are no more
trivial fixes.  If you know of one, why don't you share it?  I'm not
asking for code, just a description of what you want changed.  Then
someone will either implement it or find that it is flawed.
-- 
= Christopher Masto        = chris at netmonger.net = http://www.netmonger.net/  =
= NetMonger Communications = finger for  PGP key = $19.95/mo unlimited access =
= Director of Operations   =   (516)  221-6664 	 = mailto:info at netmonger.net  =

v---(cut here)---v
    --
    yourname at some.dumb.host.com
    "Keep in mind that anything Kibo says makes a great sig."  -- Kibo
^---(cut here)---^

• Previous message (by thread): how to protect name servers against cache corruption
• Next message (by thread): how to protect name servers against cache corruption
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]