[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Joseph S D Yao jsdy at center.osis.gov
Wed Jul 16 21:19:01 UTC 2008

On Fri, Jul 11, 2008 at 06:53:42PM +0200, Florian Weimer wrote:
> * Paul Vixie:
> > any form of always-use-tcp is undeployable for reasons of both scale and
> > reach.  there would be too much state and through-delay in such a system,
> > and, there are too many unreachable name servers seen by tcp/53.
> I'm not sure if this is actually true.  However, I'm convinced that
> switching to TCP would require significant software changes on the
> authoritative server side.  And once such changes are needed on both
> recursors and authoriative servers, a protocol change and a UDP-based
> solution is preferable (and DNSSEC is that's already out there, at
> least to some extent).

More than just the server side.  An unfortunately large number of
firewall administrators believe that it is good security to block TCP
port 53, not realizing they have hamstringed [hamstrung?] their own DNS.

Joe Yao
Qinetiq NA / Analex Contractor

More information about the dns-operations mailing list