[dns-operations] DNS whitelisting
Gadi Evron
ge at linuxbox.org
Tue Mar 7 22:04:19 UTC 2006
Florian Weimer wrote:
> * Gadi Evron:
>
>
>>>The idea is to use SYN cookies to whitelist "good" addresses,
>>>without keeping too much state servers-side. You can use CNAME RRs
>>>to implement pure UDP-based cookies, by the way. (Riverhead
>>>applied for a patent on such techniques, IIRC.)
>>
>>Is SPF for DNS next?
>
>
> To prevent things like the kimble.org fiasco? I don't think the
> community as a whole cares much about the right-hand side of DNS
> records. This applies to other RHS issues, too, like lame delegations
> and bogus authoritative name servers for some TLDs.
Okay, well - not on the protocol level, a DNS server which is registered
with a white-list is one more reason to "trust" it. You don't have to
have every DNS server in the world. The ones we may have on such a list
will still be of some added value.
Caveats:
Defining what Trust is, i.e., can be as simple as checked once a week to
make sure it doesn't allow relay from the world.
It's a use-if-you-like list, I don't see it as a FUSSP and it's a good
start for a future blacklisting possibility to page the community.
Gadi.
More information about the dns-operations
mailing list