DNSSECbis Q-2: degradation attack

Michael Richardson mcr at sandelman.ottawa.on.ca
Tue Sep 2 22:46:05 UTC 2003


>>>>> "Miek" == Miek Gieben <miekg at atoom.net> writes:
    Miek> [On 02 Sep, @23:16, Michael wrote in "Re: DNSSECbis Q-2: degradation ..."]
    >> Mike, thank you for the diagram. It looks correct to me.
    >> It certainly answers the algorithm question for me.
    >> A major question is what does the resolver do with all this information?
    >> One thing I found weird about your diagram is that you have "Process Normal
    >> Response" in the middle of the diagram, while "Treat Secure" is at the
    >> bottom. 
    >> It isn't obvious that the "Treat as Bogus" is also a terminal node. May
    >> I suggest that you put them all at the bottom of the diagram?
    >> Then, we are back to the problem of expressing three outcomes using only
    >> 1 bit when communicating with the application :-)

    Miek> is there any documentation about this API? Should I look at the
    Miek> lwred source code from bind9? Or are we free to invent a new API?

  lwres is built into bind9.
  It is presently just DNS over I would actually prefer to
use Unix domain stream sockets - specifically so that I know that it is
local, and so that I can get signaled when the server dies, etc.

  I have just finished (yet another?.. not quite) async interface to
liblwres, which I'm about to post. It groks DNSSEC and follows CNAMEs,
which I need.

  Please note reply-to.

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat


More information about the bind-workers mailing list