On Thu, Sep 05, 2013 at 02:54:18PM -0700,
Paul Vixie wrote
a message of 68 lines which said:
> Florian Weimer wrote:
> >
> > Because DNSSEC does not prevent cache poisoning, it only detects it.
>
> i do not understand this statement.
The way I understand it: with Kaminsky and/or Shulman, you
Stephane Bortzmeyer wrote:
>
> The way I understand it: ...
>
> So, DNSSEC turned the poisoning attack from a hijacking attack to a DoS.
>
> Now, the question is: "for an attacker, is it the simplest way to do a
> DoS?" IMHO, no, so I'm not too worried about it and I still believe in
> DNSSEC.
+
On 06.09.2013, at 10:49, Stephane Bortzmeyer wrote:
> On Thu, Sep 05, 2013 at 02:54:18PM -0700,
> Paul Vixie wrote
> a message of 68 lines which said:
>
>> Florian Weimer wrote:
>>>
>>> Because DNSSEC does not prevent cache poisoning, it only detects it.
>>
>> i do not understand this statem
> On Thu, Sep 05, 2013 at 02:54:18PM -0700,
> Paul Vixie wrote the part "i do not understand this
> statement.":
>
>> Florian Weimer wrote:
>>>
>>> Because DNSSEC does not prevent cache poisoning, it only detects it.
>>
>> i do not understand this statement.
>
On Sep 6, 2013, at 3:49, Stepha
On Sep 6, 2013, at 9:29, Daniel Kalchev wrote:
> Might be the appropriate time to think how to depend less on caching is now?
You mean, make DNS a strict client-server system?
Imagine a world in which *every* *single* conversion of a hostname to an
address involved packets flowing through the roo
Aaron Campbell wrote:
> Here is a thought, but I will defer to the protocol experts on plausibility.
> The resolver knows the size of each DNS message it parses. What if it didn't
> trust glue records contained within large (i.e., > 1400 bytes or so)
> responses? In these cases, the resolver
On Aug 22 2013, I wrote:
The TLD "xn--l1acc" (an IDN for Mongolia) which was only added to the root
zone last weekend, signed and with a DS right from the outset, seems to
have got into trouble already.
It looks as if a KSK rollover from a key with id 29566 to one with id 38599
has been applied
Hello Aaron,
Please see below.
On Fri, Sep 6, 2013 at 7:33 AM, Aaron Campbell wrote:
> On 2013-09-05, at 10:02 PM, Haya Shulman wrote:
>
> > I would recommend short term patched (that we recommend in the paper) in
> the meanwhile, and addressing the deployment challenges of DNSSEC.
>
> Some c
On 06.09.2013, at 17:30, Edward Lewis wrote:
> On Sep 6, 2013, at 9:29, Daniel Kalchev wrote:
>
>> Or cache only after validation?
>
>
> I shudder to think there's an alternative. If you are going to cache anyway,
> don't waste your time validating.
>
What is the point to cache junk?
Dan
In message <20130906074928.ga19...@nic.fr>, Stephane Bortzmeyer writes:
> On Thu, Sep 05, 2013 at 02:54:18PM -0700,
> Paul Vixie wrote
> a message of 68 lines which said:
>
> > Florian Weimer wrote:
> > >
> > > Because DNSSEC does not prevent cache poisoning, it only detects it.
> >
> > i do
Mark Andrews wrote:
> In message <20130906074928.ga19...@nic.fr>, Stephane Bortzmeyer writes:
>> ...
>> The way I understand it: with Kaminsky and/or Shulman, you can still
>> poison a DNS cache. The downstream validating resolver will detect it
>> and send back SERVFAIL to the end user. But this
11 matches
Mail list logo
