[dns-operations] DNS whitelisting

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Wed Mar 8 06:22:42 UTC 2006

On Wed, Mar 08, 2006 at 12:04:19AM +0200, Gadi Evron wrote:
> Florian Weimer wrote:
> > * Gadi Evron:
> > 
> > 
> >>>The idea is to use SYN cookies to whitelist "good" addresses,
> >>>without keeping too much state servers-side.  You can use CNAME RRs
> >>>to implement pure UDP-based cookies, by the way.  (Riverhead
> >>>applied for a patent on such techniques, IIRC.)
> >>
> >>Is SPF for DNS next?
> > 
> > 
> > To prevent things like the kimble.org fiasco?  I don't think the
> > community as a whole cares much about the right-hand side of DNS
> > records.  This applies to other RHS issues, too, like lame delegations
> > and bogus authoritative name servers for some TLDs.
> Okay, well - not on the protocol level, a DNS server which is registered 
> with a white-list is one more reason to "trust" it. You don't have to 
> have every DNS server in the world. The ones we may have on such a list 
> will still be of some added value.

	registered how?  by FQDN?  looked up by...?
	speaking of which - how does one even -find- the white-list server?

> Caveats:
> Defining what Trust is, i.e., can be as simple as checked once a week to 
> make sure it doesn't allow relay from the world.
> It's a use-if-you-like list, I don't see it as a FUSSP and it's a good 
> start for a future blacklisting possibility to page the community.
> 	Gadi.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list