[11445] in North American Network Operators' Group
Re: off-topic (Re: how to protect name servers against cache corruption )
daemon@ATHENA.MIT.EDU (Ben Black)
Wed Jul 30 06:23:26 1997
Date: Wed, 30 Jul 1997 05:58:14 -0400 (EDT)
From: Ben Black <black@zen.cypher.net>
To: Paul A Vixie <vixie@vix.com>
cc: nanog@merit.edu
In-Reply-To: <199707300123.SAA20706@wisdom.rc.vix.com>
well, the router comment wasn't mine so i don't think it really needs
explanation.
as for the childish attempt to imply that somehow the statement of a
problem is tantamount to insanity, well...i guess i thought you could do
better.
there *is* a problem with query ID spoofing, as you have known for years,
*but* there is a way to significantly harden a nameserver against this
sort of attack *without* going against RFC and without rewriting it in
C++ with the help of Jim Phlegming.
i did not come up with the algorithm to win the spoof race, so i will
leave that in the capable hands of tom ptacek.
ben
ps - perry, you can get off your knees now.
On Tue, 29 Jul 1997, Paul A Vixie wrote:
> if you want to know how to configure your router, hit "D" now.
> �
> > > > Noone in the security field has any right to expect any implementation of
> > > > DNS to be secure until DNSSEC is widely implemented.
> >
> > this statement bothers me. certainly without DNSSEC there can be no
> > *assurances* of security, but there is a gaping chasm between the current
> > system and DNSSEC that could be closed significantly with proper design.
>
> please explain further. perhaps i've been in this trench too long, i'm
> just not getting what you mean. (how do i configure my router for that?)
>
> > simply stating that until DNSSEC arrives these attacks are going to be
> > allowed is a copout.
>
> better yet, send diffs. perhaps the bind-workers group are all idiots and
> this could actually be done better if we'd just rewrite it all in C++. jim
> fleming keeps saying that that's the problem. perhaps you and he could work
> together on a robust replacement for BIND.
>
