[11441] in North American Network Operators' Group
RE: how to protect name servers against cache corruption
daemon@ATHENA.MIT.EDU (Dan Dale)
Wed Jul 30 03:45:42 1997
From: Dan Dale <ddale@exodus.net>
To: "'Paul A Vixie'" <vixie@vix.com>,
"tqbf@enteract.com"
<tqbf@enteract.com>
Cc: "nanog@merit.edu" <nanog@merit.edu>
Date: Wed, 30 Jul 1997 00:38:44 -0700
Jeesh people... let's get some life here. Step out and enjoy the weekend will ya???
Upgrade to BIND 8.1.1 and deal with it. Some hack will figure it out and 9.0 will soon be on it's way.
DD
-----Original Message-----
From: Paul A Vixie [SMTP:vixie@vix.com]
Sent: Tuesday, July 29, 1997 6:09 PM
To: tqbf@enteract.com
Cc: nanog@merit.edu
Subject: Re: how to protect name servers against cache corruption
> > Noone in the security field has any right to expect any implementation of
> > DNS to be secure until DNSSEC is widely implemented.
>
> > I'm sorry if something I said misled you to believe otherwise.
>
> So BIND 8.1.1 is NOT "immune" to the poisoned resource-record attack? I
> ask because you specifically stated that it was. Sorry to nag, I'd just
> like to see this clarified to the operations community.
BIND 4.9.6 and 8.1.1 are immune to all known attacks, including the one
Eugene Kashpureff copied and put into wide public use recently.
I know of attacks we are not immune to, which cannot be stopped without
DNSSEC. My paper, whose URL I gave in the previous message, alludes to
some of these without exactly giving a road map for their use.
