>> Paul Vixie wrote:
>>> because TCP is considered optional by many authority DNS server
>>> operators.
> On Aug 9, 2008, at 3:48 PM, Chris Paul wrote:
>> Hey authority DNS server operators. Can you make a change to your
>> servers to always allow TCP client connections? Would this be
>> dif
> The *actual* distinction here is that an implementation can be a fully
> compliant IPv4 stack without any code to do IPSEC. The IPv6 stack is
> required to have the code.
but usually does not. it's like the ipv6 forum, almost none of the
members' servers have ipv6 enabled.
randy
On Fri, 08 Aug 2008 18:53:23 EDT, Deepak Jain said:
>o Security. With IPv4, IPsec is optional and you need to ask
> the peer if it supports IPsec. With IPv6, IPsec support is mandatory. By
> mandating IPsec, we can assume that you can secure your IP communication
> whenever you talk
On Aug 9, 2008, at 3:48 PM, Chris Paul wrote:
Paul Vixie wrote:
because TCP is considered optional by many authority DNS server
operators.
Hey authority DNS server operators. Can you make a change to your
servers to always allow TCP client connections? Would this be
difficult? What wou
Randy Bush wrote:
Paul Vixie wrote:
hey are not occurring on nanog@, where they would be off-topic,
like this thread here
you may want to read the aup. by my read they are not off topic.
Also: given how serious the problem is, I'd think that far and wide
perspective
on this is ap
On Aug 9, 2008, at 6:23 PM, Paul Vixie wrote:
second, please think carefully about the word "severe". any time
someone
can cheerfully hammer you at full-GigE speed for 10 hours, you've
got some
trouble, and you'll need to monitor for those troubles. 11 seconds of
10MBit/sec fit my definitio
Paul Vixie wrote:
because TCP is considered optional by many authority DNS server operators.
Hey authority DNS server operators. Can you make a change to your
servers to always allow TCP client connections? Would this be difficult?
What would be the harm?
it's only required if you expect A
Paul Vixie wrote:
> hey are not occurring on nanog@, where they would be off-topic,
> like this thread here
you may want to read the aup. by my read they are not off topic.
randy
[EMAIL PROTECTED] (Matt F) writes:
> Why not just require TCP for a lookup if a response with an incorrect
> TXID is received? You could require TCP for just the one lookup or for
> some configured interval, say 1 hour. That should slow attackers down
> substantially.
because TCP is consider
[EMAIL PROTECTED] (Joe Greco) writes:
> I am very, very, very disheartened to be shown to be wrong. As if 8 days
> wasn't bad enough, a concentrated attack has been shown to be effective in
> 10 hours. See http://www.nytimes.com/2008/08/09/technology/09flaw.html
that's what theory predicted. g
On 9 Aug 2008, at 18:10, Matt F wrote:
Why not just require TCP for a lookup if a response with an
incorrect TXID is received? You could require TCP for just the one
lookup or for some configured interval, say 1 hour. That should
slow attackers down substantially.
That sounds like a go
Why not just require TCP for a lookup if a response with an incorrect
TXID is received? You could require TCP for just the one lookup or for
some configured interval, say 1 hour. That should slow attackers down
substantially.
Joe Abley wrote:
On 9 Aug 2008, at 17:22, Church, Charles wrote:
On 9 Aug 2008, at 17:22, Church, Charles wrote:
TCP would work, but it makes it more difficult to do Anycast, which
works well with UDP and DNS.
TCP works pretty well with anycast too, if you're careful. It's
helpful if your transactions are short-lived.
I've seen concern expressed that a
TCP would work, but it makes it more difficult to do Anycast, which
works well with UDP and DNS.
Chuck
-Original Message-
From: Chris Paul [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 09, 2008 5:18 PM
To: [EMAIL PROTECTED]
Subject: maybe a dumb idea on how to fix the dns problems i
Paul,
Sorry if this is real stupid for some reason because I don't think about
DNS all day (I'm the ldap dude) but since we have faster networks and
faster cpus today, what would be the harm in switching to use TCP for
DNS clients? The latency on the web isn't dns anymore ever it seems to
me.
It's usually interesting to be proven wrong, but perhaps not in this case.
I was among the first to point out that the 11-second DNS poisioning claim
made by Vixie only worked out to about a week of concentrated attack after
the patch. This was a number I extrapolated purely from Paul's 11-secon
Hello. Looking for a UK based DNS server that allows open relay. Please
contact me off list, using it to test a slightly problematic geo dns system.
You've been forwarded.
J
On Aug 6, 2008, at 12:36 PM, Alan Halachmi wrote:
Would someone from Verizon please contact me? Or, if you know of a
technical contact for Verizon, please pass it along. Thanks.
Best,
Alan
--
Joel Esler
http://blog.joelesler.net
http://www.dearcupertino.
> Rather than jumping down someone's throat here, are these
> assumptions rampant (or even accurate)? We came across this
> as we were trying to enhance our own Ops groups documents to
> share with customers, and well, I don't think we want to
> share this. ;)
You can get a lot better informa
19 matches
Mail list logo
