North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: how to protect name servers against cache corruption
> Sure, smart guy. And there are also issues with IP packets > which are passed across untrusted nodes in the Internet. > What exactly is your point? Why are you asking me questions after having placed me in your killfile? To answer your question briefly: there are fixes for both the poisoned-RR problem (extensive validity checking and non-caching cut-through responses), as explained by Johannes Erdfelt, and there are fixes for the guessable-ID problem (randomized query IDs backed up by server-survival assurances using "cookie" queries, along with a attack detection mechanism that reduces the entire problem to a denial-of-service attack). Neither of these involve DNSSEC. You are being told that the Internet is essentially broken until DNSSEC is implemented. Some people feel this is not the case. I am one of them. You have my apologies if my means of expressing this seem unacceptable to you. Thanks for taking the time to write! ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [email@example.com] ---------------- "If you're so special, why aren't you dead?"