Kaminsky finds DNS exploit
Paul Hoffman
paul.hoffman at vpnc.org
Mon Jul 14 12:06:57 EDT 2008
At 4:27 PM +0200 7/14/08, Florian Weimer wrote:
>Implementors say that in many cases, their software as it's currently
>implemented can't take the load. It's not much worse than web traffic,
>that's why I think it can be made to work (perhaps easier with kernel
>support, who knows). But code changes are apparently required.
That whole paragraph, taken together, makes no sense.
>And once you need code changes, you can roll out DNSSEC--or some
>extended query ID with 64 additional bits of entropy.
There is a difference between code changes in the kernel for some
systems (which you allude to above), code changes and a universal
rollout in all DNS software (which you allude to at the end), and
stable rollout of the DNSSEC trust anchor system in every significant
zone and all resolvers.
FWIW, only the latter has anything to do with this mailing list...
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list