On 09/09/2013 06:07 AM, Haya Shulman wrote:
> For instance, DNS-OARC does not detect port prediction attacks, and
> reports clients as secure, while they are vulnerable to attacks.
OARC does many things, I assume here you are referring to our port
entropy tester:
https://www.dns-oarc.ne
On 2013-09-07, at 15:07, Paul Wouters wrote:
> On Sat, 7 Sep 2013, Florian Weimer wrote:
>
>> Well, there aren't any plans to sign ROOT-SERVERS.NET, are there?
>
> Why sign that when you have the DNSKEY via the DS anyway. You shouldn't
> care which IP answers and whether they can spoof it. If
> Now we (including me) have known the dangers and limitations,
> so should we set max-udp-size to 1220 on every authoritative servers?
Sometimes crazy conspiracy theories make too much sense. Please
make up one of your own from some facts:
- Some known major PKI failures were ostensibly in su
...
Yasuhiro Orange Morishita / 森下泰宏 wrote:
> Paul-san, and folks,
>
> Now we (including me) have known the dangers and limitations,
> so should we set max-udp-size to 1220 on every authoritative servers?
for unsigned responses, i think a v6 max-udp-size of 1220 and a v4 max-udp-size
of 512 is w
Paul-san, and folks,
Now we (including me) have known the dangers and limitations,
so should we set max-udp-size to 1220 on every authoritative servers?
-- Orange
From: Paul Vixie
Date: Mon, 09 Sep 2013 04:47:44 -0700
> regrettably, the author of RFC 2671 knew the dangers and limitations of
>
regrettably, the author of RFC 2671 knew the dangers and limitations of
fragmented IP, but specified it anyway.
see especially: http://www.hpl.hp.com/techreports/Compaq-DEC/WRL-87-3.html
(where the authors of WRL-87-3 were two early mentors of the later
author of RFC 2671, who not only ought to h
Yasuhiro-san :-)
Nice find, thanks for sharing!!
I will add reference to it in our works.
On Sun, Sep 8, 2013 at 3:00 PM,
wrote:
>
>
> Message: 6
> Date: Sun, 08 Sep 2013 17:30:57 +0900 (JST)
> From: Yasuhiro Orange Morishita / <
> yasuh...@jprs.co.jp>
> To: aa...@arbor.net
> Cc: dns-opera
You are right, proper randomisation is one property, and secure application
thereof to real world systems is another.
So, as you said, there are a number of requirements, which should be
addressed, to ensure correct functionality and security, including having a
sufficiently large range which the a
On Fri, Sep 06, 2013 at 09:44:34PM +0300,
Haya Shulman wrote
a message of 232 lines which said:
> We studied the IPID randomisation on the name servers (not the resolvers).
Just a warning: it's IPID _unpredictability_ (for a blind attacker)
which is important. Randomisation can be bad because
