[prev in list] [next in list] [prev in thread] [next in thread]
List: dns-operations
Subject: Re: [dns-operations] DNS Flush Protocol
From: Paul Hoffman <paul.hoffman () vpnc ! org>
Date: 2015-04-02 15:13:59
Message-ID: 3E81557F-0D44-4F3E-9D18-AB468E1CCD7C () vpnc ! org
[Download RAW message or body]
On Mar 27, 2015, at 8:48 AM, Mike Jones <mike@mikejones.in> wrote:
> Comments? Ideas? Does someone want to make a slightly more formal
> proposal for what such a protocol should look like?
In the responses so far, I have not seen people give one of the earlier-stated \
reasons why such a protocol might be bad: it can allow an attacker to more easily \
temporarily take over your zone. Assume that you're an attacker who has gotten the \
temporary ability to be on-path for one or more of a zone's servers. Being able to \
send out "please refresh my zone" alerts makes your attack much more effective. \
Further, when discovered, and the real zone owner sends out another blast of "please \
refresh my zone", recipients might think "I already did that" and ignore it.
Thus, the protocol proposed probably has to involve a requirement for DNSSEC \
validation of announcements, which will limit its utility.
--Paul Hoffman
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic