[dns-operations] DNS whitelisting

Gadi Evron ge at linuxbox.org
Tue Mar 7 22:04:19 UTC 2006

Florian Weimer wrote:
> * Gadi Evron:
>>>The idea is to use SYN cookies to whitelist "good" addresses,
>>>without keeping too much state servers-side.  You can use CNAME RRs
>>>to implement pure UDP-based cookies, by the way.  (Riverhead
>>>applied for a patent on such techniques, IIRC.)
>>Is SPF for DNS next?
> To prevent things like the kimble.org fiasco?  I don't think the
> community as a whole cares much about the right-hand side of DNS
> records.  This applies to other RHS issues, too, like lame delegations
> and bogus authoritative name servers for some TLDs.

Okay, well - not on the protocol level, a DNS server which is registered 
with a white-list is one more reason to "trust" it. You don't have to 
have every DNS server in the world. The ones we may have on such a list 
will still be of some added value.

Defining what Trust is, i.e., can be as simple as checked once a week to 
make sure it doesn't allow relay from the world.

It's a use-if-you-like list, I don't see it as a FUSSP and it's a good 
start for a future blacklisting possibility to page the community.


More information about the dns-operations mailing list