[dns-operations] AT&T DNS Cache Poisoning?

bert hubert bert.hubert at netherlabs.nl
Sun Oct 28 07:40:52 UTC 2012

On Sat, Oct 27, 2012 at 11:43:40PM -0700, David Conrad wrote:
> > It appears that source port randomization works. 
> Was there ever any doubt?  The question wasn't (isn't?) whether source

Yes, people used the Kaminsky hack as a way to push DNSSEC. 

So perhaps doubt was *instilled*.

> making the communication channel irrelevant.  IMHO, it is a better
> long-term solution (folks who know my opinion on DNSSEC may now require
> smelling salts).

As an implementor, after two years, we keep finding DNSSEC corner cases that
make the authors of the very RFCs swoon. 

The effort of implementing everything correctly is just staggering, our
number of regression tests is exploding just to try to keep everything in

It might have been easier all round to just start from scratch and not
pretend that this is 'an enhancement of DNS'. The length of the DNSSEC RFCs
exceeds the length of the standardizing RFCs of DNS.

By the way, I know some people will immediately chime in DNSSEC isn't that
hard, but you won't hear an implementor among them...


More information about the dns-operations mailing list