Vulnerability to cache poisoning -- the rest of the solution

G.W. Haywood ged at jubileegroup.co.uk
Wed Jul 16 08:23:51 UTC 2008


Hi there,

On Wed, 16 Jul 2008, Mark Andrews wrote:

> > >>> This makes TCP much harder, but not impossible, to spoof than UDP.
> > >>
> > >> As an interim measure, I take it that using TCP only isn't an option?
> > >
> > > 	No.  You have people that believe they can block TCP
> > > 	connections to DNS servers despite the RFC's saying they
> > > 	SHOULD be open.
> > >
> > Well, more fundamentally than that, it would be a violation of RFC 1123
>
> 	RFCs can be updated.  If it was felt that the only way to
> 	address this problem was to go to TCP then I'm sure that a
> 	RFC could have made it through the review process in enough
> 	time to stop complaints.

My point was of course that it might be easier to get something done
in a reasonable timeframe if it didn't involve getting people (well,
committees:) to agree on issues like who is to hold the keys.

I can't see how anyone can view the situation which we have at present
as anything other than a monumental cock-up.

--

73,
Ged.


More information about the bind-users mailing list