[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning
bert hubert
bert.hubert at netherlabs.nl
Thu Jul 10 22:10:13 UTC 2008
On Thu, Jul 10, 2008 at 05:24:37PM -0400, Sean Donelan wrote:
> Fear too frightening it must be kept secret for 30 days.
>
> S/MIME - implement now or email will die
> S-BGP - implement now or BGP will die
> DNSSEC - implement now or DNS will die
Right now, DNS as it is really only needs (say) an additional 16 bits of
entropy beyond what source port randomisation can provide. DNS over TCP
offers that today, btw.
I'm sure we'll find a way to cram in those 16 bits without too much hassle.
If the 'stunning industry cooperation' keeps up, it should be no problem at
all.
For the rest, your security and confidentiality etc shouldn't rely on DNS
anyhow. There is no ARPSEC either. [*]
Bert
[*] For IPv6 something like it is possible
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
More information about the dns-operations
mailing list