[dns-operations] DNS whitelisting
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Wed Mar 8 06:22:42 UTC 2006
On Wed, Mar 08, 2006 at 12:04:19AM +0200, Gadi Evron wrote:
> Florian Weimer wrote:
> > * Gadi Evron:
> >
> >
> >>>The idea is to use SYN cookies to whitelist "good" addresses,
> >>>without keeping too much state servers-side. You can use CNAME RRs
> >>>to implement pure UDP-based cookies, by the way. (Riverhead
> >>>applied for a patent on such techniques, IIRC.)
> >>
> >>Is SPF for DNS next?
> >
> >
> > To prevent things like the kimble.org fiasco? I don't think the
> > community as a whole cares much about the right-hand side of DNS
> > records. This applies to other RHS issues, too, like lame delegations
> > and bogus authoritative name servers for some TLDs.
>
> Okay, well - not on the protocol level, a DNS server which is registered
> with a white-list is one more reason to "trust" it. You don't have to
> have every DNS server in the world. The ones we may have on such a list
> will still be of some added value.
registered how? by FQDN? looked up by...?
speaking of which - how does one even -find- the white-list server?
--bill
>
> Caveats:
> Defining what Trust is, i.e., can be as simple as checked once a week to
> make sure it doesn't allow relay from the world.
>
> It's a use-if-you-like list, I don't see it as a FUSSP and it's a good
> start for a future blacklisting possibility to page the community.
>
> Gadi.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list