[prev in list] [next in list] [prev in thread] [next in thread]
List: namedroppers
Subject: Re: RFC proposal on DNS spoofing prevention
From: bert hubert <bert.hubert () netherlabs ! nl>
Date: 2007-01-09 21:53:10
Message-ID: 20070109215310.GA30088 () outpost ! ds9a ! nl
[Download RAW message or body]
On Tue, Jan 09, 2007 at 09:52:17AM +0900, Masataka Ohta wrote:
> Third party: any host other than the resolver or the intended
> recipient of a question. The third party may have access to a
> random authoritative nameserver, but has no access to packets
> transmitted by the Resolver.
>
> However, I think it should also be assumed that the third party has
> no access to packets of authentic answers to the Resolver.
Indeed, we'll update the draft to state so. It will be posted again
tomorrow, with a bug tracker, wiki and changelog, so it should be easy to
keep track of. This was pioneered by the NSEC3 draft btw, it appears to
work.
> I also think birthday attacks should be prevented by using the same
> ID and the same source port for all the outstanding queries with the
> same question to the same destination.
Indeed, we should improve the wording of the draft that the same question
should not be in flight *with differing* source port/id's, which gives
implementations more room to do the right thing.
Thanks for your comments!
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic