nanog mailing list archives
Re: how to protect name servers against cache corruption
From: Ben Black <black () zen cypher net>
Date: Tue, 29 Jul 1997 22:13:38 -0400 (EDT)
i say again that although it cannot be made completely secure in the DNSSEC sense, it can absolutely be made far more resistant to some *known* attacks without significant code changes. ben On Tue, 29 Jul 1997, Paul A Vixie wrote:
Let me put this another more interesting and more direct way. Postulate a name server with the following properties: 1. Actually works on and is connected to the live Internet. 2. RFC compliant except as nec'y to comply with #1 above. 3. No DNSSEC, no TSIG, no SECUPD. 4. Completely bug free. You go right ahead and build that name server, and I will drive a truck, no, better still a bus or even a backhoe, right through its front window. DNS is not secure and cannot be made so. BIND-8.1.1 is the best there is, and it's what you should run, but as long as you run DNS without DNSSEC, your confidence level should be set accordingly. PS: BIND is definitely #1, is almost #2, is definitely #3, and trying to be #4.
Current thread:
- Re: how to protect name servers against cache corruption, (continued)
- Re: how to protect name servers against cache corruption Deepak Jain (Jul 22)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 22)
- Re: how to protect name servers against cache corruption Juergen Georgi (Jul 22)
- Re: how to protect name servers against cache corruption Karl Denninger (Jul 22)
- Re: how to protect name servers against cache corruption tqbf (Jul 29)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 29)
- Re: how to protect name servers against cache corruption Ben Black (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Perry E. Metzger (Jul 29)
- Re: how to protect name servers against cache corruption Thomas H. Ptacek (Jul 29)
- Re: how to protect name servers against cache corruption Christopher Masto (Jul 29)
- Re: how to protect name servers against cache corruption tqbf (Jul 29)
- Re: how to protect name servers against cache corruption Jay R. Ashworth (Jul 30)
- Re: how to protect name servers against cache corruption Paul A Vixie (Jul 29)