[dns-operations] summary of recent vulnerabilities in DNS security.

P Vixie vixie at fsi.io
Mon Oct 21 10:34:00 UTC 2013


On Tuesday, October 22, 2013 18:57:41 Haya Shulman wrote:
> 
> On Tue, Oct 22, 2013 at 6:20 PM, Rubens Kuhl <rubensk at nic.br> wrote:
> 
> 
> > Would DNSCrypt, supported by OpenDNS, be a possible mitigation to this 
issue?
> ...
> > Would IPSEC between resolver and upstream forward be a possible 
mitigation to this issue ?
> 
> Sure, both solve the problem. In particular, any secure channel protocol,
> between the proxy resolver and an upstream forwarder, prevents the attacks.

so, if we develop eastlake cookies, which is necessary in any case due to the 
ddos reflection problems, then your fragmentation related problems go away?

vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131021/e1c35f15/attachment.html>


More information about the dns-operations mailing list