[dns-operations] AT&T DNS Cache Poisoning?
roy at dnss.ec
Sun Oct 28 21:58:48 UTC 2012
On Oct 28, 2012, at 7:40 AM, bert hubert <bert.hubert at netherlabs.nl> wrote:
> On Sat, Oct 27, 2012 at 11:43:40PM -0700, David Conrad wrote:
>>> It appears that source port randomization works.
>> Was there ever any doubt? The question wasn't (isn't?) whether source
> Yes, people used the Kaminsky hack as a way to push DNSSEC.
DNSSEC does not defend against the Kaminsky hack?
> So perhaps doubt was *instilled*.
Does port randomisation work against a MITM attack?
>> making the communication channel irrelevant. IMHO, it is a better
>> long-term solution (folks who know my opinion on DNSSEC may now require
>> smelling salts).
> As an implementor, after two years, we keep finding DNSSEC corner cases that
> make the authors of the very RFCs swoon.
As the co-author of the DNSSEC RFCs (4033/4034/4035/5155), I have yet to be swooned by any of the DNSSEC corner cases you've found.
> The effort of implementing everything correctly is just staggering, our
> number of regression tests is exploding just to try to keep everything in
Isn't the number of regression tests related to the number of bugs introduced?
> It might have been easier all round to just start from scratch and not
> pretend that this is 'an enhancement of DNS'.
BIND9 was started from scratch with the main purpose of adding DNSSEC. NSD2/3/4 and Unbound(Java/C) and BIND10 were started from scratch with DNSSEC support. I agree that adding DNSSEC to vanilla code is much harder.
> The length of the DNSSEC RFCs
> exceeds the length of the standardizing RFCs of DNS.
Not at all, both 1034 and 1035 are longer that 4034 and 4035. There is an awful lot of non-dnssec standards that update 1034 and 1035 that I could add, but I think I've already proven my point.
> By the way, I know some people will immediately chime in DNSSEC isn't that
> hard, but you won't hear an implementor among them…
As an implementer, I would not say that DNSSEC isn't that hard. It is not rocket science either.
More information about the dns-operations