Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Slightly OT: What SSL cert do you consider strongest?

From: Fabian Wenk <fabian () wenks ch>
Date: Sun, 27 Oct 2013 20:17:29 +0100
Hello Jeffrey

On 24.10.2013 10:54, Jeffrey Walton wrote:


Dr. Bernstein has a good time with DNSSEC in his talks. See, for
example, Cryptography Worst Practices,
http://secappdev.org/lectures/144. The entire talk is good, but his
DNSSEC bashing occurs around 14:40 (min:sec).


I watched a larger part of this video from that point on.
Regarding the forget to re-sign a DNSSEC zone, I would like to point out that ISC bind 9.9 does support 'inline signing'. This has the advantage that the zone will be automatically signed upon reloading of it. Also bind will re-sign the zone as needed during run time.
Regarding the UDP amplification attack with spoofed source addresses, since version 9.9.4 ISC bind does have Response Rate Limiting (RRL) available. But a much better solution would be, if all ISPs and other network operators of IP ranges would protect their own networks in such a way that they do drop packets at their borders, when the source address is not from their own IP ranges. This would prevent not only the DNSSEC amplification attack, he was talking about, but also with other DNS requests and other UDP based public services (e.g. NTP). 


bye
Fabian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: