[11411] in North American Network Operators' Group
Re: how to protect name servers against cache corruption
daemon@ATHENA.MIT.EDU (Ben Black)
Tue Jul 29 21:43:11 1997
Date: Tue, 29 Jul 1997 21:19:54 -0400 (EDT)
From: Ben Black <black@zen.cypher.net>
To: "Thomas H. Ptacek" <tqbf@enteract.com>
cc: Paul A Vixie <vixie@vix.com>, tqbf@enteract.com, nanog@merit.edu
In-Reply-To: <199707300049.TAA17418@enteract.com>
> > Noone in the security field has any right to expect any implementation of
> > DNS to be secure until DNSSEC is widely implemented.
>
this statement bothers me. certainly without DNSSEC there can be no
*assurances* of security, but there is a gaping chasm between the current
system and DNSSEC that could be closed significantly with proper design.
simply stating that until DNSSEC arrives these attacks are going to be
allowed is a copout.
ben
> > I'm sorry if something I said misled you to believe otherwise.
>
> So BIND 8.1.1 is NOT "immune" to the poisoned resource-record attack? I
> ask because you specifically stated that it was. Sorry to nag, I'd just
> like to see this clarified to the operations community.
>
> Again, thanks for your time and patience!
>
> ----------------
> Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
> ----------------
> "If you're so special, why aren't you dead?"
>
>
