bind: how to accept authoritative answers only?

Rick Updegrove dislists at updegrove.net
Sat Jan 27 22:39:44 UTC 2001 

----- Original Message -----
From: "Jim Reid" <jim at rfc1035.com>
To: "Larry Sheldon" <lsheldon at creighton.edu>; "Andre Dietisheim"
<dietisheim at gmx.net>
Cc: <comp-protocols-dns-bind at moderators.isc.org>
Sent: Saturday, January 27, 2001 11:32 AM
Subject: Re: bind: how to accept authoritative answers only?


> >>>>> "Larry" == Larry Sheldon <lsheldon at creighton.edu> writes:
>
>     >> I tried to figure out how to configure bind (on my TSL1.2) to
>     >> accept authoritative answers only, but I didn't succeed.  This
>     >> should help against IP-Spoofing as named would't accept answers
>     >> of a hijacked cache that is used to spoof addresses. DJBDNS
>     >> (Bernstein stuff) behaves that way, and I would have liked to
>     >> configure bind to work that way.
>
>     Larry> I have no idea how to do what you are asking, but I am
>     Larry> interested in the assert that "authoratative" can not be
>     Larry> spoofed. How is that guaranteed?
>
> The only way to detect and ignore spoof DNS traffic or name servers is
> by putting some sort of digital signature on each packet, presumably
> using public-key encryption. This is provided by DNSSEC: Secure DNS.
> The protocol is implemented and supported in BIND8.2 and later. There
> is no support for DNSSEC in djbdns.

There is no support for DNSSEC in djbdns because DNSSEC useless.
DNSSEC is often falsely advertised as a software feature that you can
install
to protect your computer against DNS forgeries. In fact, installing DNSSEC
does nothing to protect you, and it will continue to do nothing for the
foreseeable future.
As of January 2001, Network Solutions simply isn't doing what it propsed in
1993.
There is no Network Solutions key. There are no Network Solutions
signatures.
There is no secure channel---in fact, no mechanism at all---for Network
Solutions to collect *.com keys in the first place.

> How Dr. Bernstein squares this
> with his claims of preventing spoofing is beyond me.

Dr Bernstein does claim any such thing  . . . as illustrated ->
http://cr.yp.to/djbdns/guarantee.html
"The vulnerability of DNS to forgery does not qualify" (for the security
guarantee)
he then explains why he can't possibly make that claim . . . yet.
See: Nym-based security http://cr.yp.to/djbdns/forgery.html

More information about the bind-users mailing list