Re: off-topic (Re: how to protect name servers against cache corruption )

[Ben Black <black () zen cypher net>]

well, the router comment wasn't mine so i don't think it really needs 
explanation.

as for the childish attempt to imply that somehow the statement of a 
problem is tantamount to insanity, well...i guess i thought you could do 
better.

there *is* a problem with query ID spoofing, as you have known for years, 
*but* there is a way to significantly harden a nameserver against this 
sort of attack *without* going against RFC and without rewriting it in 
C++ with the help of Jim Phlegming.

i did not come up with the algorithm to win the spoof race, so i will 
leave that in the capable hands of tom ptacek.


ben

ps - perry, you can get off your knees now.

On Tue, 29 Jul 1997, Paul A Vixie wrote:

> if you want to know how to configure your router, hit "D" now.
> 
> > > > Noone in the security field has any right to expect any implementation of
> > > > DNS to be secure until DNSSEC is widely implemented.
> >
> > this statement bothers me.  certainly without DNSSEC there can be no 
> > *assurances* of security, but there is a gaping chasm between the current 
> > system and DNSSEC that could be closed significantly with proper design.
>
> please explain further.  perhaps i've been in this trench too long, i'm
> just not getting what you mean.  (how do i configure my router for that?)
>
> > simply stating that until DNSSEC arrives these attacks are going to be 
> > allowed is a copout.
>
> better yet, send diffs.  perhaps the bind-workers group are all idiots and
> this could actually be done better if we'd just rewrite it all in C++.  jim
> fleming keeps saying that that's the problem.  perhaps you and he could work
> together on a robust replacement for BIND.