Re: [dns-operations] knot-dns

In message <878ui94dju@mid.deneb.enyo.de>, Florian Weimer writes: > The problem is that the EDNS protocol does not have a proper > handshake. If implementations reply differently to the same query, a > resolver may hit one implementation, receive some sort of failure > indication, try again w

Re: [dns-operations] knot-dns

PS: http://blogs.technet.com/b/networking/archive/2014/12/15/handling-endless-delegation-chains-in-windows-dns-server.aspx Our DNS Rockstar Kumar Ashutosh just wrote blog if anyone is interested in more details. Mehmet On Sun, Dec 14, 2014 at 8:57 PM, Mehmet Akcin wrote: > > Haven't heard about

Re: [dns-operations] knot-dns

* David Conrad: > Software diversity is a tool that network administrators use to > improve resiliency in their infrastructure. I agree it is not a > silver bullet but if I was building out critical infrastructure like > (oh say) a root server or a resolver cloud that my customers depend > on, I

Re: [dns-operations] knot-dns

* David Conrad: >> In particular, running different implementations behind a load >> balancer on the same public IP address can break EDNS detection by >> resolvers, and crafted queries sent to a resolver can make data >> unavailable to that resolver (until a timeout occurs). > > Huh? Yeah. > If

Re: [dns-operations] knot-dns

> > Haven't heard about Microsoft's recursor yet. > Microsoft Windows DNS is not affected with infinite-loop vulnerability. Mehmet ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operatio

Re: [dns-operations] knot-dns

On 15 Dec 2014, at 9:08, Matthew Ghali wrote: > Or more likely, have a multiplicative effect instead. +1 --- Roland Dobbins ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/m

Re: [dns-operations] knot-dns

On 15 Dec 2014, at 9:45, David Conrad wrote: Two words: Microsoft Windows. Here're two words for you: Linux botnet. Or three: Linux router botnet. Or two more: OSX botnet And two more, for good measure: Android botnet. Presumably you too can google "packet of death". I don't need t

Re: [dns-operations] knot-dns

Matt, On Dec 14, 2014, at 6:08 PM, Matthew Ghali wrote: > Given the set of practical issues we’re worried about today, delivering a > service via multiple codebases certainly isn’t a magic bullet. Agreed. I would be surprised if anyone seriously argues that it is. > Upon closer inspection hete

Re: [dns-operations] knot-dns

On Dec 14, 2014, at 3:05 PM, Roland Dobbins wrote: > I've never run into a situation in which a monoculture would've made things > any worse. ?? Two words: Microsoft Windows. > a) packet-of-death vulnerabilities are rare, Sure, but they happen. For example: - the resolver bug we're talking

Re: [dns-operations] knot-dns

Hi DRC! Sorry, I didn’t mean to advocate a monoculture in a vacuum. My point was delivered much more eloquently by Roland: Given the set of practical issues we’re worried about today, delivering a service via multiple codebases certainly isn’t a magic bullet. Upon closer inspection heterogeneit

Re: [dns-operations] knot-dns

On 15 Dec 2014, at 5:52, David Conrad wrote: > Code diversity is to help mitigate implementation bugs. Sure - but it isn't the be-all, end-all its made out to be, either. --- Roland Dobbins ___ dns-operations mailing l

Re: [dns-operations] knot-dns

On 15 Dec 2014, at 5:47, David Conrad wrote: A monoculture invites catastrophic failure. We've seen this over and over again. We've seen heterogenous environments fail catastrophically, too. I've never run into a situation in which a monoculture would've made things any worse. Sure, there

Re: [dns-operations] knot-dns

On Dec 14, 2014, at 12:28 PM, Matthew Ghali wrote: > How many different responses did we see to the recent recursion cve? What I've seen so far: Vulnerable: - BIND 9, Unbound, PowerDNS Recursor Not Vulnerable: - Nominum, dnsmasq, djbdns, BIND 8 Haven't heard about Microsoft's recursor yet. >

Re: [dns-operations] knot-dns

Hi, I'm having a bit of trouble believing this isn't April 1. On Dec 14, 2014, at 10:38 AM, Florian Weimer wrote: >> While it sounds good on phosphor, the concept of code diversity is so >> abstract, compared to the significant operational challenges and >> associated security challenges of oper

Re: [dns-operations] knot-dns

> Matthew Ghali > Sunday, December 14, 2014 12:28 PM > How many different responses did we see to the recent recursion cve? > > How does code diversity fix protocol vulns? bind8 wasn't vulnerable :-). -- Paul Vixie ___ dns-o

Re: [dns-operations] knot-dns

On 15 Dec 2014, at 3:28, Matthew Ghali wrote: > How does code diversity fix protocol vulns? +1 --- Roland Dobbins ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/lis

Re: [dns-operations] knot-dns

How many different responses did we see to the recent recursion cve? How does code diversity fix protocol vulns? Matt > On Dec 13, 2014, at 1:44 PM, Roland Dobbins wrote: > > >> On 14 Dec 2014, at 4:36, Rubens Kuhl wrote: >> >> What I'm curios about is how we measure code diversity among th

Re: [dns-operations] knot-dns

* Roland Dobbins: > While it sounds good on phosphor, the concept of code diversity is so > abstract, compared to the significant operational challenges and > associated security challenges of operating separate systems > performing the same functions (sort of), but differently, that any > potenti

Re: [dns-operations] OARC's DNS Reply Size Test Server is not EDNS compliant

On 12/13/2014 04:30 PM, Mark Andrews wrote: > > OARC's DNS Reply Size Test Server is not EDNS compliant. It does > not return a OPT record to EDNS requests. This causes named from > BIND 9.10.0 and later to classify the servers as not EDNS compliant > and to only send plain DNS queries. This in