[EMAIL PROTECTED] ("Jay R. Ashworth") writes: > [ unthreaded to encourage discussion ] > > On Sat, Jul 26, 2008 at 04:55:23PM -0500, James Hess wrote: >> Nameservers could incorporate poison detection... >> >> Listen on 200 random fake ports (in addition to the true query ports); >> if a response ever arrives at a fake port, then it must be an attack, >> read the "identified" attack packet, log the attack event, mark the >> RRs mentioned in the packet as "poison being attempted" for 6 hours; >> for such domains always request and collect _two_ good responses >> (instead of one), with a 60 second timeout, before caching a lookup. >> >> The attacker must now guess nearly 64-bits in a short amount of time, >> to be successful. Once a good lookup is received, discard the normal >> TTL and hold the good answer cached and immutable, for 6 hours (_then_ >> start decreasing the TTL normally). > > Is there any reason which I'm too far down the food chain to see why > that's not a fantastic idea? Or at least, something inspired by it?
at first glance, this is brilliant, though with some unimportant nits. however, since it is off-topic for nanog, i'm going to forward it to the [EMAIL PROTECTED] mailing list and make detailed comments there. -- Paul Vixie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.