nanog mailing list archives
Re: off-topic (Re: how to protect name servers against cache corruption )
From: Ben Black <black () zen cypher net>
Date: Wed, 30 Jul 1997 05:58:14 -0400 (EDT)
well, the router comment wasn't mine so i don't think it really needs explanation. as for the childish attempt to imply that somehow the statement of a problem is tantamount to insanity, well...i guess i thought you could do better. there *is* a problem with query ID spoofing, as you have known for years, *but* there is a way to significantly harden a nameserver against this sort of attack *without* going against RFC and without rewriting it in C++ with the help of Jim Phlegming. i did not come up with the algorithm to win the spoof race, so i will leave that in the capable hands of tom ptacek. ben ps - perry, you can get off your knees now. On Tue, 29 Jul 1997, Paul A Vixie wrote:
if you want to know how to configure your router, hit "D" now.Noone in the security field has any right to expect any implementation of DNS to be secure until DNSSEC is widely implemented.this statement bothers me. certainly without DNSSEC there can be no *assurances* of security, but there is a gaping chasm between the current system and DNSSEC that could be closed significantly with proper design.please explain further. perhaps i've been in this trench too long, i'm just not getting what you mean. (how do i configure my router for that?)simply stating that until DNSSEC arrives these attacks are going to be allowed is a copout.better yet, send diffs. perhaps the bind-workers group are all idiots and this could actually be done better if we'd just rewrite it all in C++. jim fleming keeps saying that that's the problem. perhaps you and he could work together on a robust replacement for BIND.
Current thread:
- Re: how to protect name servers against cache corruption, (continued)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 30)
- Re: how to protect name servers against cache corruption tqbf (Jul 30)
- Re: how to protect name servers against cache corruption Deepak Jain (Jul 30)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 30)
- Message not available
- Re: how to protect name servers against cache corruption Jay R. Ashworth (Jul 30)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)
- off-topic (Re: how to protect name servers against cache corruption ) Paul A Vixie (Jul 29)
- Re: off-topic (Re: how to protect name servers against cache corruption ) Larry Vaden (Jul 29)
- Re: off-topic (Re: how to protect name servers against cache corruption ) Ben Black (Jul 30)
- Re: how to protect name servers against cache corruption Lon R. Stockton, Jr. (Jul 29)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)
- Re: how to protect name servers against cache corruption tqbf (Jul 29)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 29)
- Re: how to protect name servers against cache corruption Paul Ferguson (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 29)
- Re: how to protect name servers against cache corruption Jay R. Ashworth (Jul 30)
- Re: how to protect name servers against cache corruption Randy Bush (Jul 29)