nanog mailing list archives

Re: dnscurve and DNS hardening, was Re: Dan Kaminsky

From: Alexander Harrowell <a.harrowell () gmail com>
Date: Thu, 6 Aug 2009 11:06:49 +0100

There are really two security problems here, which implies that two different 
methods might be necessary:

1) Authenticate the nameserver to the client (and so on up the chain to the 
root) in order to defeat the Kaminsky attack, man in the middle, IP-layer 
interference. (Are you who you say you are?)

2) Validate the information in the nameserver. (OK, so you're the nameserver; 
but who says www.google.com is 1.2.3.4?)

1) is the transport layer problem; 2) is the dnssec/zone signing problem.

Attachment: signature.asc
Description: This is a digitally signed message part.

Current thread:

Re: DNS hardening, was Re: Dan Kaminsky, (continued)
- - - Re: DNS hardening, was Re: Dan Kaminsky Phil Regnauld (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky John R. Levine (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Steven M. Bellovin (Aug 05)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky John R. Levine (Aug 05)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Mark Andrews (Aug 05)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Naveen Nathan (Aug 05)
    - RE: dnscurve and DNS hardening, was Re: Dan Kaminsky Skywing (Aug 05)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Ben Scott (Aug 05)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Naveen Nathan (Aug 05)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Florian Weimer (Aug 06)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Alexander Harrowell (Aug 06)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Ben Scott (Aug 07)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Tony Finch (Aug 06)
    - Re: dnscurve and DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 06)
    - Re: DNS hardening, was Re: Dan Kaminsky John R. Levine (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Roland Dobbins (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Douglas Otis (Aug 05)
    - Re: DNS hardening, was Re: Dan Kaminsky Christopher Morrow (Aug 05)

(Thread continues...)