On Tue, Aug 19, 2008 at 08:55:31AM -0400, Andrew Sullivan wrote:
Now, maybe that doesn't matter for many of these cases. It is
entirely possible that DNSSEC deployment for most zones is just not
worth it. If that's true, however, why are we so worried about poison
attacks?
Because quite a
On Aug 19, 2008, at 6:40 AM, Masataka Ohta wrote:
So what? NAT at airport must be, unlike NATs in enterprises,
consumer friendly. Unlike highe end NAT, low end NAT won't
bother to interfere DNS.
Right. Because low-end consumer gear is always so much better
implemented than enterprise gear.
David Conrad wrote:
which you could have argue against 10 years ago but not now.
It's such a shame that computer processing technology for doing stuff
like cryptography hasn't advanced in 10 years.
Unfortunately, the Internet has grown in 10 years, too.
Do you want to fund my costs of
Another 10 year delay would benefit all our respective businesses ;-) But to
move forward you sometimes have to take chances.
-Rick
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Ulevitch
Sent: Tuesday, August 19, 2008 9:09 AM
To: David Conrad
Cc:
On Tue, 19 Aug 2008, Andrew Sullivan wrote:
Sure, large organizations with large, mostly competent, and very
conservative IT departments (think banks) will probably not have
this problem and will probably deploy successfully. None of that will
matter, however, if everyone else starts adopting
On Tue, Aug 19, 2008 at 12:07:04PM -0400, Paul Wouters wrote:
Because this is only true for the authorative part of DNSSEC. Since
Dan showed you can cache poison any non-DNSSEC resolver for ANY domain,
not just the domains you are not protecting, you basically have no choice
but to mitigate
On Aug 19, 2008, at 10:00 AM, bert hubert wrote:
In fact, I'm so far not having luck getting around even my 3-year old
primitive anti-spoofing behaviour.
Have you tried dsniff anywhere on the path the DNS packets take?
Regards,
-drc
___
DNSOP
On Tue, Aug 19, 2008 at 01:13:44PM -0400, Paul Wouters wrote:
On Tue, 19 Aug 2008, bert hubert wrote:
In fact, I'm so far not having luck getting around even my 3-year old
primitive anti-spoofing behaviour.
Funny, that's not what Dan's talk said. PowerDNS specifically was trivial to
spoof
On Tue, Aug 19, 2008 at 10:35:54AM -0700, David Conrad wrote:
it in their products or services. Peter Koch did provide an interesting
data point that warrants further investigation (20-35% of queries having DO
bit on seems a bit high to me) and someone else responded privately that
I
On Aug 19, 2008, at 12:23 PM, bert hubert wrote:
Again - this is about TODAY. DNSSEC might be the end all solution
but even
if it is, it is not deployed widely today and it won't be 12 months
from
now.
Nobody's disputing that point. Is this why we are arguing? The
reason I'm pushing
it in their products or services. Peter Koch did provide an interesting
data point that warrants further investigation (20-35% of queries having DO
bit on seems a bit high to me) and someone else responded privately that
I think Peter's data point sure warrants further investigation,
On Aug 19, 2008, at 2:09 PM, [EMAIL PROTECTED] wrote:
Peter Koch did provide an interesting
data point that warrants further investigation (20-35% of queries
having DO
bit on seems a bit high to me)
From my own limited investigations (less than 10 servers, but millions
of DNS queries thus
On Mon, 18 Aug 2008, bert hubert wrote:
What's the rush with deprecating DNS/TCP btw? It languished in the shade for
25 years..
TCP doesn't work with Anycast, as was stated in RFC1546. And Root
server operators are supposed to offer TCP to everyone, not just those
that use the stateless UDP
On Aug 19, 2008, at 8:15 PM, Dean Anderson wrote:
A verifying
DNSSEC cache can be poised with bad glue records using the poisoning
attack, with only a slight change to the Kaminsky software.
Do you mean that it can be convinced that an answer is valid when it
is not?
14 matches
Mail list logo
