Vulnerability to cache poisoning -- the rest of the solution
G.W. Haywood
ged at jubileegroup.co.uk
Wed Jul 16 08:23:51 UTC 2008
Hi there,
On Wed, 16 Jul 2008, Mark Andrews wrote:
> > >>> This makes TCP much harder, but not impossible, to spoof than UDP.
> > >>
> > >> As an interim measure, I take it that using TCP only isn't an option?
> > >
> > > No. You have people that believe they can block TCP
> > > connections to DNS servers despite the RFC's saying they
> > > SHOULD be open.
> > >
> > Well, more fundamentally than that, it would be a violation of RFC 1123
>
> RFCs can be updated. If it was felt that the only way to
> address this problem was to go to TCP then I'm sure that a
> RFC could have made it through the review process in enough
> time to stop complaints.
My point was of course that it might be easier to get something done
in a reasonable timeframe if it didn't involve getting people (well,
committees:) to agree on issues like who is to hold the keys.
I can't see how anyone can view the situation which we have at present
as anything other than a monumental cock-up.
--
73,
Ged.
More information about the bind-users
mailing list