[128074] in cryptography@c2.net mail archive
Re: Kaminsky finds DNS exploit
daemon@ATHENA.MIT.EDU (Florian Weimer)
Mon Jul 14 10:36:55 2008
From: Florian Weimer <fw@deneb.enyo.de>
To: John Levine <johnl@iecc.com>
Cc: cryptography@metzdowd.com
Date: Mon, 14 Jul 2008 16:27:58 +0200
In-Reply-To: <20080714142230.76441.qmail@simone.iecc.com> (John Levine's
message of "14 Jul 2008 14:22:30 -0000")
* John Levine:
>>CERT/CC mentions this:
>>
>>| It is important to note that without changes to the DNS protocol, such
>>| as those that the DNS Security Extensions (DNSSEC) introduce, these
>>| mitigations cannot completely prevent cache poisoning.
>
> Why wouldn't switching to TCP lookups solve the problem?
It requires code changes on both types of servers, in order to make them
more scalable.
> It's arguably more traffic than DNSSEC, but it has the large practical
> advantage that they actually work with deployed servers today.
Implementors say that in many cases, their software as it's currently
implemented can't take the load. It's not much worse than web traffic,
that's why I think it can be made to work (perhaps easier with kernel
support, who knows). But code changes are apparently required.
And once you need code changes, you can roll out DNSSEC--or some
extended query ID with 64 additional bits of entropy.
On top of that, some operators decided not to offer TCP service at all.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
