[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nanog
Subject:    Re: how to protect name servers against cache corruption
From:       Ben Black <black () zen ! cypher ! net>
Date:       1997-07-30 2:13:38
[Download RAW message or body]

i say again that although it cannot be made completely secure in the 
DNSSEC sense, it can absolutely be made far more resistant to some 
*known* attacks without significant code changes.


ben



On Tue, 29 Jul 1997, Paul A Vixie wrote:

> Let me put this another more interesting and more direct way.
> 
> Postulate a name server with the following properties:
> 
> 	1. Actually works on and is connected to the live Internet.
> 	2. RFC compliant except as nec'y to comply with #1 above.
> 	3. No DNSSEC, no TSIG, no SECUPD.
> 	4. Completely bug free.
> 
> You go right ahead and build that name server, and I will drive a truck,
> no, better still a bus or even a backhoe, right through its front window.
> 
> DNS is not secure and cannot be made so.  BIND-8.1.1 is the best there is,
> and it's what you should run, but as long as you run DNS without DNSSEC,
> your confidence level should be set accordingly.
> 
> PS:
> 
> BIND is definitely #1, is almost #2, is definitely #3, and trying to be #4.
> 

[prev in list] [next in list] [prev in thread] [next in thread]