[116482] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: DNS hardening, was Re: Dan Kaminsky

daemon@ATHENA.MIT.EDU (John R. Levine)
Wed Aug 5 15:23:52 2009

Date: Wed, 5 Aug 2009 15:23:00 -0400 (EDT)
From: "John R. Levine" <johnl@iecc.com>
To: bert hubert <bert.hubert@netherlabs.nl>
In-Reply-To: <3efd34cc0908051012q74fadfdej620cd0dcb20c1ea8@mail.gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

> 3 works, but offers zero protection against 'kaminsky spoofing the
> root' since you can't fold the case of "123456789.". And the root is
> the goal.

Good point.

5) Download your own copy of the root zone every few days from 
http://www.internic.net/domain/, check the signature if you can find the 
signing key for 289FE7AD, and use that rather than the public roots.

6) EDNS0 PING, if you think anyone else will implement it

R's,
John


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[116482] in North American Network Operators' Group

Re: DNS hardening, was Re: Dan Kaminsky

daemon@ATHENA.MIT.EDU (John R. Levine)Wed Aug 5 15:23:52 2009

daemon@ATHENA.MIT.EDU (John R. Levine)
Wed Aug 5 15:23:52 2009