> From: Haya Shulman <haya.shul...@gmail.com>
> IMHO, DNSSEC is simply the natural defense against the attacks, which
> is why I did not explicitly mention it, but I definitely had it in
> mind :-)
In that case, on what should an organization spend time or money
first, on DNSSEC or the recommendations in the mail message? Would
it be better if each of the recommendations in the mail message
started with something like this?
Deploy DNSSEC, and consider the follow to help protect cached
data not yet protected with DNSSEC.
> Regarding the proxy-behind-upstream: to prevent the attacks DNSSEC has
> to be deployed(and validated) on the proxy. Currently it seems that
> there are proxies that signal support of DNSSEC (via the DO bit), but
> do not validate responses, and validation is typically performed by
> the upstream forwarder.
That sounds like a more significant bug than port obscurity or
randomization. If it is a bug, which should be addressed first in
that software or those installations, this DNSSEC bug or the
recommendations in the mail message? It it is a significant DNSSEC
bug, it would be good if a future version of the mail message
mentioned it.
Vernon Schryver v...@rhyolite.com
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
