[dns-operations] the mathematics of kaminsky spoofing probability

Paul Vixie vixie at isc.org
Mon Aug 4 14:13:08 UTC 2008

> At some point, the number of hacks necessary to implement address
> spoofing protection (which won't actually prevent spoofing if the
> attacker happens to be on the wire of course) is going to surpass the
> complexity of DNSSEC, both in terms of code as well as operations.

furthermore, no amount of increased RDNS complexity will protect against
NXDOMAIN remapping or forced search engine proxying as practiced by many
ISP's and hotels and even opendns.  nor from malicious upstream forwarding
servers, hacked secondary or primary servers.  granted that DNSSEC won't
protect data if the registrar or registry gets hacked, it still protects
a lot more of the end-to-end data path than "ask all questions twice" or
any of the other RDNS complexity proposals that have been aired both here
and on namedroppers.  (noting that i am the author of several of these!)

> What problem are we trying to solve again?  Is it avoiding DNSSEC at all
> costs or improving the integrity of data supplied by the DNS?

engineers whose implementations would have to be rewritten from scratch to
support DNSSEC tend to be against DNSSEC on (that unmentioned) principle,
and therefore willing to avoid it at all costs.  i suppose that if i were
still sitting on BIND8 i would worry that DNSSEC would be bad for me, too.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the dns-operations mailing list