On 21 Oct 2013, at 16:54, Keith Mitchell <ke...@smoti.org> wrote: > Applying the same 5-years' now-outside hindsight to this, the benefits > of all that port randomization work seem murky at best -
There was/is a vulnerability and it's been (sort of) plugged. Surely that's a Good Thing? Even if it just means the bar has been raised for an attacker. And only for those who have installed new-ish DNS code. > The Herzberg/Shulman attacks seem even harder to exploit in > a real (as opposed to la) environment Maybe. OTOH knowing about this weakness and doing little to counteract it -- save for the universal deployment of DNSSEC -- seems irresponsible to me. YMMV. That said, there are other vulnerabilities that are probably more significant than cache poisoning attacks: eg the probably intractable reflector/amplification problems. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
