Vulnerability to cache poisoning -- the rest of the solution
Alan Clegg
Alan_Clegg at isc.org
Fri Jul 11 21:35:34 UTC 2008
James Pratt wrote:
> So the big question really is - Is the security of the internet in
> *real* big trouble after blackhat, unless dnssec is implemented
> basically everywhere?
Security of the internet is not in trouble (depending on what you mean
by "security")...
The ability to know for sure that you are (or are not) talking to the
thing that you want to talk to is what is at (grave) risk.
DNSSEC is the "final" answer, but we can't deploy it globally in the
next 30 days (or less).
For now, randomize your query source ports. Please.
> I understand it's great to have your own rr's secured, but it probably
> doesn't help much at all internally if you *have to* give your lan/wan
> clients recursion, correct?
DNSSEC only helps if both the authoritative server and either the
upstream recursor or your applications have to be DNSSEC aware/validating.
AlanC
More information about the bind-users
mailing list