nanog mailing list archives
Re: Dan Kaminsky
From: Florian Weimer <fweimer () bfk de>
Date: Wed, 05 Aug 2009 14:32:27 +0000
* Leo Bicknell:
In a message written on Tue, Aug 04, 2009 at 11:32:46AM -0700, Kevin Oberman wrote:There is NO fix. There never will be as the problem is architectural to the most fundamental operation of DNS. Other than replacing DNS (not feasible), the only way to prevent this form of attack is DNSSEC. The "fix" only makes it much harder to exploit.I don't understand why replacing DNS is "not feasible".
Replacing the namespace is not feasible because any newcomer will lack the liability shield ICANN, root operators, TLD registries, and registrars have established for the Internet DNS root, so it will never get beyond the stage of hashing out the legal issues. We might have an alternative one day, but it's going to happen by accident, through generalization of an internal naming service employed by a widely-used application. There are several successful application-specific naming services which are independent of DNS, but all the attempts at replacing DNS as a general-purpose naming service have failed. The transport protocol is a separate issue. It is feasible to change it, but the IETF has a special working group which is currently tasked to prevent any such changes. -- Florian Weimer <fweimer () bfk de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
Current thread:
- Re: Dan Kaminsky, (continued)
- Re: Dan Kaminsky Richard A Steenbergen (Aug 03)
- Re: Dan Kaminsky Cord MacLeod (Aug 03)
- Re: Dan Kaminsky andrew.wallace (Aug 03)
- Re: Dan Kaminsky Dragos Ruiu (Aug 04)
- Re: Dan Kaminsky Richard A Steenbergen (Aug 03)
- Re: Dan Kaminsky Curtis Maurand (Aug 04)
- Re: Dan Kaminsky Valdis . Kletnieks (Aug 04)
- Re: Dan Kaminsky Mikael Abrahamsson (Aug 04)
- Re: Dan Kaminsky Kevin Oberman (Aug 04)
- Re: Dan Kaminsky Patrick W. Gilmore (Aug 04)
- Re: Dan Kaminsky Leo Bicknell (Aug 05)
- Re: Dan Kaminsky Florian Weimer (Aug 05)
- DNS alternatives (was Re: Dan Kaminsky) Roland Dobbins (Aug 05)
- Re: DNS alternatives (was Re: Dan Kaminsky) Mark Andrews (Aug 05)
- Re: DNS alternatives (was Re: Dan Kaminsky) Roland Dobbins (Aug 05)
- RE: DNS alternatives (was Re: Dan Kaminsky) Erik Soosalu (Aug 05)
- Re: DNS alternatives (was Re: Dan Kaminsky) Roland Dobbins (Aug 05)
- Re: Dan Kaminsky Valdis . Kletnieks (Aug 04)
- Re: Dan Kaminsky Leo Bicknell (Aug 05)
- Re: Dan Kaminsky Jorge Amodio (Aug 05)
- Re: Dan Kaminsky Phil Regnauld (Aug 05)
- Re: Dan Kaminsky Chris Adams (Aug 05)
- Re: Dan Kaminsky Jorge Amodio (Aug 05)