Suggestion for enhancement to DNS
Jeremy C. Reed
Jeremy_Reed at isc.org
Mon Aug 11 17:56:15 UTC 2008
On Mon, 11 Aug 2008, James Cammarata wrote:
> My solution would be as follows: whenever a DNS server issues a recursive
> query request, add a second question. This question could take several
> forms, it could be for a bogus sub-domain, or just some randomly generated
> hash. If the DNS protocol were extended to allow a new signature-type
> resource record (a long run, I know), the replying server would essentially
> just echo back the question (or if it were done today you'd get NXDOMAIN
> back). Either way, this would prevent a cache poisoning flood attack,
> since only the actual server questioned would have the correct matching
> answer.
Hi James, I guess I am missing something from this. How would it know this
"correct matching answer"?
Also a "signature-type resource record" is already available and is used
by some.
More information about the bind-users
mailing list