Dan Kaminsky

Florian Weimer fweimer at bfk.de
Wed Aug 5 09:32:27 CDT 2009

* Leo Bicknell:

> In a message written on Tue, Aug 04, 2009 at 11:32:46AM -0700, Kevin Oberman wrote:
>> There is NO fix. There never will be as the problem is architectural
>> to the most fundamental operation of DNS. Other than replacing DNS (not
>> feasible), the only way to prevent this form of attack is DNSSEC. The
>> "fix" only makes it much harder to exploit.
> I don't understand why replacing DNS is "not feasible".

Replacing the namespace is not feasible because any newcomer will lack
the liability shield ICANN, root operators, TLD registries, and
registrars have established for the Internet DNS root, so it will
never get beyond the stage of hashing out the legal issues.  We might
have an alternative one day, but it's going to happen by accident,
through generalization of an internal naming service employed by a
widely-used application.  There are several successful
application-specific naming services which are independent of DNS, but
all the attempts at replacing DNS as a general-purpose naming service
have failed.

The transport protocol is a separate issue.  It is feasible to change
it, but the IETF has a special working group which is currently tasked
to prevent any such changes.

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the NANOG mailing list