[dns-operations] the mathematics of kaminsky spoofing probability
sean at donelan.com
Mon Aug 4 09:04:54 UTC 2008
On Mon, 4 Aug 2008, Shane Kerr wrote:
> What can the operator of an authoritative server do if it detects
> someone trying to spoof it? I am not being cheeky, rather I am genuinely
> curious what options are available.
Depends on how important the authoritative zone operator thinks the
recursive server operator is, and how important the recursive server
operator thinks the authoritative zone operator is.
They could talk to each other and decide on several possibilities. They
could configure the recursive servers as stealth secondaries for the
zone data, which would copy the authoritative zone data to the recursive
servers which would make poisoning the caches more difficult. They could
establish transmission security such as IPsec or some other transmission
signature protocol. They could connect directly to the network and the
network operator may have infrastructure acls to block packets with those
source addresses from any other network boundary. They could even
exchange information about setting up dnssec lookaside validation between
them. And there are probably other alternatives people will think up.
More information about the dns-operations