On Tue, Aug 19, 2008 at 12:07:04PM -0400, Paul Wouters wrote: > Because this is only true for the authorative part of DNSSEC. Since > Dan showed you can cache poison any non-DNSSEC resolver for ANY domain, > not just the domains you are not protecting, you basically have no choice > but to mitigate this problem. And DNSSEC, for good or bad, is what we > have right now.
Is there some sort of shield preventing people from reading or even arguing with http://www.ops.ietf.org/lists/namedroppers/namedroppers.2008/msg01213.html ? All those things can be done today, unilaterally, and they start working from the moment you enable them. In fact, I'm so far not having luck getting around even my 3-year old primitive anti-spoofing behaviour. I've reduced the number of ports I use to 10 to make things more doable, but no luck. So please consider other options before repeating the holy mantra 'DNSSEC is the only solution'. Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop