Dailydave mailing list archives
Re: DNS Speculation
From: "Dominique Brezinski" <dominique.brezinski () gmail com>
Date: Tue, 22 Jul 2008 19:22:46 -0700
On Tue, Jul 22, 2008 at 10:27 AM, natron <shiftnato () gmail com> wrote:
I assume that mucking with ns.google.com's ability to update *.google.com records on the fly would probably negatively impact large organizations current DNS architectures, where they probably rely on this for redundancy and load balancing. Nathan
Your assumption is absolutely correct. The name servers that are authoritative for a domain need to be able to update and change the records for the domain at any time. Think about the case where a network re-architecture needs to be completed, or there is a massive failure that needs a readdressing to fix, etc. I worked on the security engineering team at amazon.com through the 2000 DDoS attacks as well as numerous other attacks and non-security failures. There were a couple times where pushing DNS changes, including changing the location of primary and secondary name servers, was a completely valid and necessary action to fix a problem. I am not trying to be condescending, but all this talk about the validity of caching additional RR fields is bogus. Of course a caching server should give precedence to additional RR entries provided by the authoritative source over those in the cache. Think about responding to a cache poisoning attack...you sure want your valid, authoritative responses to supersede the poisoned cache entries! The cache logic as implemented is fine; it is identification and authorization of who is authoritative for a domain that is the issue. I am not a fan of DNSSEC as implemented, but identification and authorization is why people like Paul Vixie push it. As noted in the thread, adding source port randomization increases the number of unique bits used to identify and authorize a response as valid. Dom _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: DNS Speculation, (continued)
- Re: DNS Speculation Cedric Blancher (Jul 23)
- Re: DNS Speculation ninjaboy (Jul 23)
- Re: DNS Speculation Cedric Blancher (Jul 24)
- Re: DNS Speculation marc_bevand (Jul 25)
- Re: DNS Speculation Bryan Burns (Jul 25)
- Message not available
- Re: DNS Speculation marc_bevand (Jul 28)
- Re: DNS Speculation Cedric Blancher (Jul 23)
- Re: DNS Speculation Macvarish, Richard C (Jul 24)
- Re: DNS Speculation natron (Jul 22)
- Re: DNS Speculation Dominique Brezinski (Jul 23)
- Message not available
- Re: DNS Speculation Joseph Patterson (Jul 25)