lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200807151614.m6FGEgx4015163@drugs.dv.isc.org>
Date: Wed, 16 Jul 2008 02:14:42 +1000
From: Mark Andrews <Mark_Andrews@....org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DNS Cache Dan Kamikaze (Actual Exploit
	Discussion)


> --On Tuesday, July 15, 2008 09:14:39 +1000 Mark Andrews <Mark_Andrews@....org
> > 
> wrote:
>
> > 	And the best solution to this attack is to deploy DNSSEC.
> > 	You don't care where the response comes from provide the
> > 	signatures are good.
> >
> 
> Except that DNSSEC is going to have to improve dramatically to achieve 
> widespread adoption.  Right now it's a PITA to understand and implement and 
> then 30 days later you have to do it all over again.  Frankly, it's not worth
>  
> the effort until the technology improves enough to make it easier to implemen
> t 
> and maintain.

	Have you actually tried to sign a zone?
	Have you actually tried to re-sign a zone?

	Just use the defaults and don't try to control every aspect.

	It really is not that difficult and yes it is getting easier
	still.  If you can manage a zone, you can manage a signed
	zone.

	If you are writing a nameserver there is a lot you need to
	know but to administer a signed zone there is very little
	you need to know.

	http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf

> I know you don't want to hear that, but that's the truth.
> 
> -- 
> Paul Schmehl
> As if it wasn't already obvious,
> my opinions are my own and not
> those of my employer.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@....org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ