dnscurve and DNS hardening, was Re: Dan Kaminsky

Alexander Harrowell a.harrowell at gmail.com
Thu Aug 6 05:06:49 CDT 2009


There are really two security problems here, which implies that two different 
methods might be necessary:

1) Authenticate the nameserver to the client (and so on up the chain to the 
root) in order to defeat the Kaminsky attack, man in the middle, IP-layer 
interference. (Are you who you say you are?)

2) Validate the information in the nameserver. (OK, so you're the nameserver; 
but who says www.google.com is 1.2.3.4?)

1) is the transport layer problem; 2) is the dnssec/zone signing problem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090806/5be73924/attachment.bin>


More information about the NANOG mailing list