Kaminsky finds DNS exploit
Florian Weimer
fw at deneb.enyo.de
Mon Jul 14 10:27:58 EDT 2008
* John Levine:
>>CERT/CC mentions this:
>>
>>| It is important to note that without changes to the DNS protocol, such
>>| as those that the DNS Security Extensions (DNSSEC) introduce, these
>>| mitigations cannot completely prevent cache poisoning.
>
> Why wouldn't switching to TCP lookups solve the problem?
It requires code changes on both types of servers, in order to make them
more scalable.
> It's arguably more traffic than DNSSEC, but it has the large practical
> advantage that they actually work with deployed servers today.
Implementors say that in many cases, their software as it's currently
implemented can't take the load. It's not much worse than web traffic,
that's why I think it can be made to work (perhaps easier with kernel
support, who knows). But code changes are apparently required.
And once you need code changes, you can roll out DNSSEC--or some
extended query ID with 64 additional bits of entropy.
On top of that, some operators decided not to offer TCP service at all.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list