DNS hardening, was Re: Dan Kaminsky

Paul Jakma paul at jakma.org
Thu Aug 6 04:04:32 CDT 2009

On Thu, 6 Aug 2009, Florian Weimer wrote:

> This doesn't seem possible with current SCTP because the heartbeat 
> rate quickly adds up and overloads servers further upstream.  It 
> also does not work on UNIX-like system where processes are 
> short-lived and get a fresh stub resolver each time they are 
> restarted.

Stubs on Unix systems can have long-lived processes that handle the 
actual lookups, the stub component in the process that calls into the 
resolver then accesses it via IPC. I.e. the NSCD style approach.

Paul Jakma	paul at jakma.org	Key ID: 64A2FF6A
As Zeus said to Narcissus, "Watch yourself."

More information about the NANOG mailing list