[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Florian Weimer fweimer at bfk.de
Fri Jul 11 16:53:42 UTC 2008

* Paul Vixie:

> any form of always-use-tcp is undeployable for reasons of both scale and
> reach.  there would be too much state and through-delay in such a system,
> and, there are too many unreachable name servers seen by tcp/53.

I'm not sure if this is actually true.  However, I'm convinced that
switching to TCP would require significant software changes on the
authoritative server side.  And once such changes are needed on both
recursors and authoriative servers, a protocol change and a UDP-based
solution is preferable (and DNSSEC is that's already out there, at
least to some extent).

IOW, I agree with your conclusion, but for different reasons.

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the dns-operations mailing list