[128084] in cryptography@c2.net mail archive
Re: Kaminsky finds DNS exploit
daemon@ATHENA.MIT.EDU (Paul Hoffman)
Mon Jul 14 13:31:16 2008
In-Reply-To: <87ej5wa6c1.fsf@mid.deneb.enyo.de>
Date: Mon, 14 Jul 2008 09:06:57 -0700
To: Florian Weimer <fw@deneb.enyo.de>, John Levine <johnl@iecc.com>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: cryptography@metzdowd.com
At 4:27 PM +0200 7/14/08, Florian Weimer wrote:
>Implementors say that in many cases, their software as it's currently
>implemented can't take the load. It's not much worse than web traffic,
>that's why I think it can be made to work (perhaps easier with kernel
>support, who knows). But code changes are apparently required.
That whole paragraph, taken together, makes no sense.
>And once you need code changes, you can roll out DNSSEC--or some
>extended query ID with 64 additional bits of entropy.
There is a difference between code changes in the kernel for some
systems (which you allude to above), code changes and a universal
rollout in all DNS software (which you allude to at the end), and
stable rollout of the DNSSEC trust anchor system in every significant
zone and all resolvers.
FWIW, only the latter has anything to do with this mailing list...
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
