[dns-operations] the mathematics of kaminsky spoofing probability
jelte at NLnetLabs.nl
Mon Aug 4 10:08:44 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
bert hubert wrote:
> On Mon, Aug 04, 2008 at 09:33:59AM +0200, Shane Kerr wrote:
>> What can the operator of an authoritative server do if it detects
>> someone trying to spoof it? I am not being cheeky, rather I am genuinely
>> curious what options are available.
> In that same veign, some options that are available:
> 1) Set the TC bit on answers to the host we think is being spoofed, causing
> it to fallback to TCP, which is considered spoofing-proof
Er, does this work?
If the tc=1 answer causes the host to use TCP, wouldn't the normal real
answer cause it to ignore the spoofs too (for that specific query)?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the dns-operations