[dns-operations] CERT VU#800113 Multiple DNS implementations vulnerable to cache poisoning

Peter van Dijk peter at dataloss.nl
Sat Jul 26 16:17:34 UTC 2008


On Thu, Jul 10, 2008 at 06:28:06AM +0000, Paul Vixie wrote:
> [...]  i would go as far as to say that if
> BCP38 were universally implemented, there would be no forgery-resilience draft
> and no CERT VU#800113 and no need for udp source port randomization nor for
> http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00.  even the case for
> Secure DNS depends somewhat on the continued nonuniversal deployment of BCP38.

Adding enough QID entropy mitigates the effects of lack of BCP38
deployment sufficiently - and it is much simpler than deploying
DNSSEC. It logically follows that we should put in the (smaller!)
effort of making one of the QID extension proposals happen; as you
said yourself, if BCP38 is implemented (or something to the same
effect!) we don't need all the other complex stuff.

On Fri, Jul 11, 2008 at 05:11:14PM +0000, Paul Vixie wrote:
> there just is no responsible way forward using extended QID.

Then why is draft-vixie-dnsext-dns0x20 still alive? Note also that the
fallback method in dns0x20 (doing the same query a couple of times)
has scale issues similar to any TCP fallback scenario.

Cheers, Peter



More information about the dns-operations mailing list