On Mon, 18 Aug 2008, Paul Hoffman wrote:
> At 1:27 PM +0100 8/18/08, Jim Reid wrote:
> >The fact is DNSSEC is the *only* game in town for preventing cache poisoning.
>
> Note the subject of this particular thread. A more carefully-worded
> sentence would be "The fact is DNSSEC is the *only* game in town for
> completely preventing cache poisoning." We have methods to reduce an
> attacker's ability to poison caches effectively.
If the DNSSEC cache doesn't verify the records it caches, it is still
suceptible to poisoning.
DNSSEC caches that verify are subject to a crypto-overload attack by
large numbers of queries.
Both kinds of attacks ultimately result in a DOS
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
