Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion)

[Mark Andrews <Mark_Andrews () isc org>]

> --On Tuesday, July 15, 2008 09:14:39 +1000 Mark Andrews <Mark_Andrews () isc org
> >
> wrote:
>
> >     And the best solution to this attack is to deploy DNSSEC.
> >     You don't care where the response comes from provide the
> >     signatures are good.
>
> Except that DNSSEC is going to have to improve dramatically to achieve 
> widespread adoption.  Right now it's a PITA to understand and implement and 
> then 30 days later you have to do it all over again.  Frankly, it's not worth
>  
> the effort until the technology improves enough to make it easier to implemen
> t 
> and maintain.

        Have you actually tried to sign a zone?
        Have you actually tried to re-sign a zone?

        Just use the defaults and don't try to control every aspect.

        It really is not that difficult and yes it is getting easier
        still.  If you can manage a zone, you can manage a signed
        zone.

        If you are writing a nameserver there is a lot you need to
        know but to administer a signed zone there is very little
        you need to know.

        http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf

> I know you don't want to hear that, but that's the truth.
>
> -- 
> Paul Schmehl
> As if it wasn't already obvious,
> my opinions are my own and not
> those of my employer.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews () isc org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/