[11431] in North American Network Operators' Group
Re: how to protect name servers against cache corruption
daemon@ATHENA.MIT.EDU (Thomas H. Ptacek)
Tue Jul 29 23:02:58 1997
From: "Thomas H. Ptacek" <tqbf@enteract.com>
To: pferguso@cisco.com (Paul Ferguson)
Date: Tue, 29 Jul 1997 21:51:23 -0500 (CDT)
Cc: tqbf@enteract.com, lon@moonstar.com, nanog@merit.edu
Reply-To: tqbf@enteract.com
In-Reply-To: <3.0.3.32.19970729224229.006caf98@lint.cisco.com> from "Paul Ferguson" at Jul 29, 97 10:42:29 pm
> Sure, smart guy. And there are also issues with IP packets
> which are passed across untrusted nodes in the Internet.
> What exactly is your point?
Why are you asking me questions after having placed me in your killfile?
To answer your question briefly: there are fixes for both the poisoned-RR
problem (extensive validity checking and non-caching cut-through
responses), as explained by Johannes Erdfelt, and there are fixes for the
guessable-ID problem (randomized query IDs backed up by server-survival
assurances using "cookie" queries, along with a attack detection mechanism
that reduces the entire problem to a denial-of-service attack). Neither of
these involve DNSSEC.
You are being told that the Internet is essentially broken until DNSSEC is
implemented. Some people feel this is not the case. I am one of them. You
have my apologies if my means of expressing this seem unacceptable to you.
Thanks for taking the time to write!
----------------
Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com]
----------------
"If you're so special, why aren't you dead?"
