[116470] in North American Network Operators' Group
Re: DNS hardening, was Re: Dan Kaminsky
daemon@ATHENA.MIT.EDU (bert hubert)
Wed Aug 5 13:13:44 2009
In-Reply-To: <20090805164823.43774.qmail@simone.iecc.com>
From: bert hubert <bert.hubert@netherlabs.nl>
Date: Wed, 5 Aug 2009 19:12:38 +0200
To: John Levine <johnl@iecc.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Aug 5, 2009 at 6:48 PM, John Levine<johnl@iecc.com> wrote:
> 3) Random case in queries, e.g. GooGLe.CoM
> 4) Ask twice (with different values for the first three hacks) and
> compare the answers
>
> I presume everyone is doing the first two. =A0Any experience with the
> other two to report?
3 works, but offers zero protection against 'kaminsky spoofing the
root' since you can't fold the case of "123456789.". And the root is
the goal.
4 breaks on Akamai and many other CDNs. Even 'ask thrice, and take the
majority answer' doesn't work there.
5 is 'edns ping', but it was effectively blocked because people
thought DNSSEC would be easier to do, or demanded that EDNS PING
(http://edns-ping.org) would offer everything that DNSSEC offered.
Bert
