[dns-operations] the mathematics of kaminsky spoofing probability
Jelte Jansen
jelte at NLnetLabs.nl
Mon Aug 4 10:08:44 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
bert hubert wrote:
> On Mon, Aug 04, 2008 at 09:33:59AM +0200, Shane Kerr wrote:
>> What can the operator of an authoritative server do if it detects
>> someone trying to spoof it? I am not being cheeky, rather I am genuinely
>> curious what options are available.
>
> In that same veign, some options that are available:
>
> 1) Set the TC bit on answers to the host we think is being spoofed, causing
> it to fallback to TCP, which is considered spoofing-proof
>
Er, does this work?
If the tc=1 answer causes the host to use TCP, wouldn't the normal real
answer cause it to ignore the spoofs too (for that specific query)?
Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkiW1SwACgkQ4nZCKsdOncX8qQCfUxPb3rjDrt8gk2PGH6a33hd1
29IAniy10XvbNZNYcnvvr67te6Vgderf
=AHLV
-----END PGP SIGNATURE-----
More information about the dns-operations
mailing list