<html>
<head></head>
<body>
<div dir="ltr">
This attack was predicted by DNS RRL in 2012 and as such is not novel. All full resolvers should make RRL the default, as BIND9 seems to have done.
</div><br>
<div dir="ltr">
https://circleid.com/posts/20130913_on_the_time_value_of_security_features_in_dns
</div><br>
<div dir="ltr">
I am in full support of ISC's position on this.
</div><br>
<div dir="ltr">
p vixie
</div><br>
<div class="bx-html">
<div class="bx-body">
<div class="quote">
On May 28, 2024 09:10, Ondřej Surý <ondrej@sury.org> wrote:<br type="attribution">
<blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">Stephane,</p>
<p dir="ltr">I must say that I am disappointed by the narrative that you are creating here: “this is good reading, but ISC disagrees”.</p>
<p dir="ltr">We actually think the proposed attack is very clever way how to abuse the way modern resolvers work. Our argument is that the existing (default) BIND 9 settings already mitigates the attack to a level that’s just enough. And that’s described in length in the mentioned blogpost by Nicki.</p>
<p dir="ltr">I don’t know why are you trying to create rift where there’s really none.</p>
<p dir="ltr">Ondřej<br>
--<br>
Ondřej Surý (He/Him)</p>
<p dir="ltr">> On 27. 5. 2024, at 17:12, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:<br>
> <br>
> The paper is good reading:<br>
> <br>
> https://dnsbomb.net/<br>
> <br>
> ISC disagrees:<br>
> <br>
> https://www.isc.org/blogs/2024-dnsbomb/<br>
> <br>
> _______________________________________________<br>
> dns-operations mailing list<br>
> dns-operations@lists.dns-oarc.net<br>
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br></p>
<p dir="ltr">_______________________________________________<br>
dns-operations mailing list<br>
dns-operations@lists.dns-oarc.net<br>
https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br></p>
</blockquote>
</div>
</div>
</div>
</body>
</html>