Question for david conrad,
DNSSEC is clearly a good thing. But my question is based on my
recollection of the IETF list December 99 discussion of unencumbered
host to host connectivity across the internet. IPSEC if I recall
correctly can't get through a NAT box. Can DNSSEC successfully
traverse a NAT box? If it cannot what are the dns security
implications for the user on the other side of the NAT (network
address translation ) box?
>Sigh.
>
> > > You don't get it - do you. Let me try to clarify the state of BIND for
> > > you. ALL VERSIONS OF BIND UNDER VIXIE CAN BE HACKED.
>
>The DNS protocol suite, as specified in RFC 1034 and 1035 has a bug: the
>sequence space of DNS queries is only 16 bits, thus it is possible to spoof a
>response and insert badness as a response to a query. As the DNS is (usually)
>based on UDP, you don't even need to be on the local network to do it.
>
>This is a known failure of the protocol and is remedied with DNSSEC (RFC
>2535), which will be fully implemented in BINDv9 (there is a partial
>implementation in BIND 8.2.2-P5 that may be useful to experiment with). There
>may also be other steps that can be taken to limit the vulnerability to
>spoofing that are currently being discussed in the context of the root
>nameserver operations draft, see the DNSOPS working group in the IETF if
>interested.
****************************************************************
The COOK Report on Internet Index to 8 years of the COOK Report
431 Greenway Ave, Ewing, NJ 08618 USA http://cookreport.com
(609) 882-2572 (phone & fax) Battle for Cyberspace: How
[EMAIL PROTECTED] Crucial Technical . . . - 392 pages
just published. See http://cookreport.com/ipbattle.shtml
****************************************************************
