[dns-operations] [funsec] Leaks in Patch for Web Security Hole

Gadi Evron ge at linuxbox.org
Sun Aug 10 11:49:45 UTC 2008

On Sun, 10 Aug 2008, Larry Seltzer wrote:
>>> Vixie said "11 seconds".  So the patch added a work factor of roughly
> 3,600, rather than the 64K that *full* randomization would have added.
> Or he just got lucky and it happened to work in the first 5% of the
> attack...
>>> But then, it was *known* that the patches merely made it harder to
> hit the hole, and DNSSEC is needed to *totally* fix the issue.
> Well then we're completely screwed because nothing is going to get
> DNSSEC implemented quickly, and the 10 hour number is going to get
> shorter with improvements in hardware and increased parallelism.

I guess its time for DNS greylisting and DNS White Lists.

I can't wait for bind plugins.

DD:'ing dns-ops, let's move this discussion there.


More information about the dns-operations mailing list