[dns-operations] the mathematics of kaminsky spoofing probability

Shane Kerr shane at ca.afilias.info
Mon Aug 4 10:55:48 UTC 2008


On Mon, 2008-08-04 at 12:13 +0200, bert hubert wrote:
> In general I think the current spoofing problems may well be ameneable to
> dynamic spoofing detection and sidestepping behaviour, but mostly on the
> resolver side of things.

Yes, this makes sense to me. A fallback to TCP if a certain number of
bogus packets are detected makes sense to me. It's not a pretty solution
in terms of load on servers, but if enough resolvers do this then
spoofing attacks will cease to be interesting. And certainly for any
particular resolver operator this makes sense.

It would be nice if operators of authoritative servers could do
something about the spoofing attacks (or better yet, zone
administrators), but I do not think there is much to do in the general



More information about the dns-operations mailing list