[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dns-operations
Subject:    Re: [dns-operations] DNS Flush Protocol
From:       Paul Hoffman <paul.hoffman () vpnc ! org>
Date:       2015-04-02 15:13:59
Message-ID: 3E81557F-0D44-4F3E-9D18-AB468E1CCD7C () vpnc ! org
[Download RAW message or body]

On Mar 27, 2015, at 8:48 AM, Mike Jones <mike@mikejones.in> wrote:
> Comments? Ideas? Does someone want to make a slightly more formal
> proposal for what such a protocol should look like?

In the responses so far, I have not seen people give one of the earlier-stated \
reasons why such a protocol might be bad: it can allow an attacker to more easily \
temporarily take over your zone. Assume that you're an attacker who has gotten the \
temporary ability to be on-path for one or more of a zone's servers. Being able to \
send out "please refresh my zone" alerts makes your attack much more effective. \
Further, when discovered, and the real zone owner sends out another blast of "please \
refresh my zone", recipients might think "I already did that" and ignore it.

Thus, the protocol proposed probably has to involve a requirement for DNSSEC \
validation of announcements, which will limit its utility.

--Paul Hoffman
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs


[prev in list] [next in list] [prev in thread] [next in thread]