DNS hardening, was Re: Dan Kaminsky

Paul Jakma paul at jakma.org
Thu Aug 6 04:04:32 CDT 2009


On Thu, 6 Aug 2009, Florian Weimer wrote:

> This doesn't seem possible with current SCTP because the heartbeat 
> rate quickly adds up and overloads servers further upstream.  It 
> also does not work on UNIX-like system where processes are 
> short-lived and get a fresh stub resolver each time they are 
> restarted.

Stubs on Unix systems can have long-lived processes that handle the 
actual lookups, the stub component in the process that calls into the 
resolver then accesses it via IPC. I.e. the NSCD style approach.

regards,
-- 
Paul Jakma	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
As Zeus said to Narcissus, "Watch yourself."




More information about the NANOG mailing list