Suggestion for enhancement to DNS
James Cammarata
jimi at sngx.net
Mon Aug 11 18:05:46 UTC 2008
On Mon, 11 Aug 2008 10:44:29 -0700, "Bryan Irvine" <sparctacus at gmail.com>
wrote:
> or DNSSEC :-)
Yeah, I'm just reading up on DNSSEC, though it seems like that is a much
more involved solution, requiring a lot more work to get out. This would
be a stop-gap methodology to prevent brute force cache poisoning attacks.
On Mon, 11 Aug 2008 12:56:15 -0500 (CDT), "Jeremy C. Reed"
<Jeremy_Reed at isc.org> wrote:
> Hi James, I guess I am missing something from this. How would it know
this
> "correct matching answer"?
>
> Also a "signature-type resource record" is already available and is used
> by some.
What I mean is, if you request <HASH>.domain.name as a second question
along with, ie. www.domain.name, the server will send you back the answer
(either as NXDOMAIN or a signature resource record if it had it). Someone
trying to forge the response would have to see the original request to know
what the hash was in the original question (otherwise the question/answer
wouldn't match up and the response would be discarded).
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the bind-users
mailing list