[11420] in North American Network Operators' Group
Re: how to protect name servers against cache corruption
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue Jul 29 22:33:11 1997
To: tqbf@enteract.com
cc: vixie@vix.com (Paul A Vixie), nanog@merit.edu
In-reply-to: Your message of "Tue, 29 Jul 1997 20:30:18 CDT."
<199707300130.UAA22939@enteract.com>
Reply-To: perry@piermont.com
Date: Tue, 29 Jul 1997 22:13:23 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Paul has made it clear that there are holes in the DNS protocols that
cannot be fixed without DNSSEC. He isn't papering anything over -- he
is merely describing reality. If you want to be sarcastic to him for
doing his best and being honest in public, well, that's fine, but
frankly I think you are doing the community a serious disservice by
attacking Paul.
.pm
"Thomas H. Ptacek" writes:
> > BIND 4.9.6 and 8.1.1 are immune to all known attacks, including the one
>
> [ splice ]
>
> > I know of attacks we are not immune to, which cannot be stopped without
>
> Um. I hate to play semantic games, but if you know of attacks that BIND
> 8.1.1 is not immune to, then BIND 8.1.1 is not immune to all known
> attacks.
>
> Since this is not a security list, I'll refrain from (rhetorically)
> informing you that history doesn't back up your assertion of the existence
> of "holes that only the good guys know".
>
> Oops. Sorry about that.
>
> Thanks for clearing this up!
>
> ----------------
> Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
> ----------------
> "If you're so special, why aren't you dead?"
>
>
