[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

bert hubert bert.hubert at netherlabs.nl
Thu Jul 10 22:10:13 UTC 2008

On Thu, Jul 10, 2008 at 05:24:37PM -0400, Sean Donelan wrote:
> Fear too frightening it must be kept secret for 30 days.
> S/MIME - implement now or email will die
> S-BGP - implement now or BGP will die
> DNSSEC - implement now or DNS will die

Right now, DNS as it is really only needs (say) an additional 16 bits of
entropy beyond what source port randomisation can provide. DNS over TCP
offers that today, btw.

I'm sure we'll find a way to cram in those 16 bits without too much hassle.
If the 'stunning industry cooperation' keeps up, it should be no problem at

For the rest, your security and confidentiality etc shouldn't rely on DNS
anyhow. There is no ARPSEC either. [*]


[*] For IPv6 something like it is possible

http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

More information about the dns-operations mailing list