[dns-operations] resolvers considered harmful

Mark Allman mallman at icir.org
Wed Oct 22 19:18:38 UTC 2014


> > Why not just turn on DNSSEC?
>
> Important zones are still unsigned, so I can understand why there is a
> desire for altenative solutions.

Right.  It isn't like we are lacking for ways to solve the problems we
know about.  E.g., we know how to mitigate the Kaminsky attack.  But,
yet, still there are plenty of vulnerable resolvers (per our PAM paper
From this past spring).  E.g., we know how to secure DNS records with
crypto.  But, yet, broadly speaking we don't do it.  So, perhaps we need
to re-think things.

allman



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 180 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141022/28304106/attachment.sig>


More information about the dns-operations mailing list