<div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif">This is correct, the conclusion from our results (and mentioned in all our papers on DNS security) is to deploy DNSSEC (fully and correctly). We are proponents of cryptographic defenses, and I think that DNSSEC is the most suitable (proposed and standardised) mechanism to protect DNS against cache poisoning. Deployment of new Internet mechanisms is always challenging (and the same applies to DNSSEC). Therefore, we recommend short term countermeasures (against vulnerabilities that we found) and also investigate mechanisms to facilitate deployment of DNSSEC.</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Oct 19, 2013 at 6:05 PM, Phil Regnauld <span dir="ltr"><<a href="mailto:regnauld@nsrc.org" target="_blank">regnauld@nsrc.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>P Vixie (paul) writes:<br>
> M. Shulman, your summary does not list dnssec as a solution to any of these vulnerabilities, can you explain why not? Vixie<br>
<br>
</div> I was wondering about that, and went to look at the abstracts:<br>
<br>
<a href="http://link.springer.com/chapter/10.1007/978-3-642-33167-1_16" target="_blank">http://link.springer.com/chapter/10.1007/978-3-642-33167-1_16</a><br>
<br>
"Security of Patched DNS"<br>
<br>
[...]<br>
<br>
We present countermeasures preventing our attacks; however, we believe<br>
that our attacks provide additional motivation for adoption of DNSSEC<br>
(or other MitM-secure defenses).<br>
<br>
So at least this seems to be mentioned in the papers themselves (Id<br>
didn't pay to find out).<br>
<br>
But I agree that the summary would benefit from stating this, as it's<br>
currently only way to to avoid poisoning. Not stating it could lead<br>
some to believe that these attacks are immune to DNSSEC protection of<br>
the cache.<br>
<br>
Cheers,<br>
Phil<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><div><p style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"><font color="#000000">Haya Shulman</font></span></p>
<p style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"><font color="#000000">Technische Universität Darmstadt<u></u><u></u></font></span></p>
<p style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"><font color="#000000">FB Informatik/EC SPRIDE<u></u><u></u></font></span></p>
<p style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"><font color="#000000">Morewegstr. 30<u></u><u></u></font></span></p>
<p style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"><font color="#000000">64293 Darmstadt<u></u><u></u></font></span></p>
<p style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"><font color="#000000">Tel. <a value="+4961511675540">+49 6151 16-75540</a><u></u><u></u></font></span></p>
<p style="margin:0cm 0cm 0.0001pt;font-size:12pt;font-family:'Times New Roman',serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"><a href="http://www.ec-spride.de/" target="_blank"><font color="#000000">www.ec-spride.de</font></a></span></p>
</div></div>
</div></div>