[prev in list] [next in list] [prev in thread] [next in thread] 

List:       namedroppers
Subject:    Re: RFC proposal on DNS spoofing prevention
From:       bert hubert <bert.hubert () netherlabs ! nl>
Date:       2007-01-09 21:53:10
Message-ID: 20070109215310.GA30088 () outpost ! ds9a ! nl
[Download RAW message or body]

On Tue, Jan 09, 2007 at 09:52:17AM +0900, Masataka Ohta wrote:
>     Third party: any host other than the resolver or the intended
>     recipient of a question. The third party may have access to a
>     random authoritative nameserver, but has no access to packets
>     transmitted by the Resolver.
> 
> However, I think it should also be assumed that the third party has
> no access to packets of authentic answers to the Resolver.

Indeed, we'll update the draft to state so. It will be posted again
tomorrow, with a bug tracker, wiki and changelog, so it should be easy to
keep track of. This was pioneered by the NSEC3 draft btw, it appears to
work.

> I also think birthday attacks should be prevented by using the same
> ID and the same source port for all the outstanding queries with the
> same question to the same destination.

Indeed, we should improve the wording of the draft that the same question
should not be in flight *with differing* source port/id's, which gives
implementations more room to do the right thing.

Thanks for your comments!

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
[prev in list] [next in list] [prev in thread] [next in thread]