[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNS hardening, was Re: Dan Kaminsky

Subject: DNS hardening, was Re: Dan Kaminsky
From: fweimer at bfk.de (Florian Weimer)
Date: Thu, 06 Aug 2009 07:32:50 +0000
In-reply-to: <[email protected]> (John Levine's message of "5 Aug 2009 16\:48\:23 -0000")
References: <[email protected]>

* John Levine:

> 3) Random case in queries, e.g. GooGLe.CoM

This does not work well without additional changes because google.com
can be spoofed with responses to 123352123.com (or even 123352123.).

Unbound strives to implement the necessary changes, some of which are
also required if you want to use DNSSEC to compensate for lack of
channel security.  As far as I know (and Paul will certainly correct
me), the necessary changes are not present in current BIND releases.

> 4) Ask twice (with different values for the first three hacks) and
> compare the answers

There is a protocol proposal to cope with fluctuating data, but I'm
not aware that anyone has expressed interest in implementing it.
Basically, the idea is to reduce caching for such data, so that
successful spoofing attacks have less amplification effect.

> I presume everyone is doing the first two.  Any experience with the
> other two to report?

0x20 has alleged interoperability issues.  It's also not such a simple
upgrade as it was initially thought, so the trade-off is rather poor
for existing resolver code bases.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstra?e 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

References:
- DNS hardening, was Re: Dan Kaminsky
  - From: johnl at iecc.com (John Levine)

Prev by Date: DNS hardening, was Re: Dan Kaminsky
Next by Date: dnscurve and DNS hardening, was Re: Dan Kaminsky
Previous by thread: DNS hardening, was Re: Dan Kaminsky
Next by thread: Fwd: Dan Kaminsky
Index(es):
- Date
- Thread