[dns-operations] the mathematics of kaminsky spoofing probability

David Conrad drc at virtualized.org
Mon Aug 4 13:45:46 UTC 2008

On Aug 4, 2008, at 5:31 AM, bert hubert wrote:
> On Mon, Aug 04, 2008 at 12:26:03PM +0100, Simon Waters wrote:
>> One can merely ask the question twice over UDP to defeat spoofing,  
>> no need to
>> switch to TCP. Since spoofing both answers blind would be exceedingly
> This is non-trivial because auth servers don't always give the same  
> answers
> (round robin, load balancing devices, plus many auth servers hiding  
> behind
> one IP address, which might not all serve the same data).
> But it is indeed one of the better options.

At some point, the number of hacks necessary to implement address  
spoofing protection (which won't actually prevent spoofing if the  
attacker happens to be on the wire of course) is going to surpass the  
complexity of DNSSEC, both in terms of code as well as operations.

What problem are we trying to solve again?  Is it avoiding DNSSEC at  
all costs or improving the integrity of data supplied by the DNS?


More information about the dns-operations mailing list