On Mon, 18 Aug 2008, Paul Hoffman wrote: > At 1:27 PM +0100 8/18/08, Jim Reid wrote: > >The fact is DNSSEC is the *only* game in town for preventing cache poisoning. > > Note the subject of this particular thread. A more carefully-worded > sentence would be "The fact is DNSSEC is the *only* game in town for > completely preventing cache poisoning." We have methods to reduce an > attacker's ability to poison caches effectively.
If the DNSSEC cache doesn't verify the records it caches, it is still suceptible to poisoning. DNSSEC caches that verify are subject to a crypto-overload attack by large numbers of queries. Both kinds of attacks ultimately result in a DOS --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop