| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <526D66C9.9060809@wenks.ch> Date: Sun, 27 Oct 2013 20:17:29 +0100 From: Fabian Wenk <fabian@...ks.ch> To: full-disclosure@...ts.grok.org.uk Subject: Re: Slightly OT: What SSL cert do you consider strongest? Hello Jeffrey On 24.10.2013 10:54, Jeffrey Walton wrote: > > Dr. Bernstein has a good time with DNSSEC in his talks. See, for > example, Cryptography Worst Practices, > http://secappdev.org/lectures/144. The entire talk is good, but his > DNSSEC bashing occurs around 14:40 (min:sec). I watched a larger part of this video from that point on. Regarding the forget to re-sign a DNSSEC zone, I would like to point out that ISC bind 9.9 does support 'inline signing'. This has the advantage that the zone will be automatically signed upon reloading of it. Also bind will re-sign the zone as needed during run time. Regarding the UDP amplification attack with spoofed source addresses, since version 9.9.4 ISC bind does have Response Rate Limiting (RRL) available. But a much better solution would be, if all ISPs and other network operators of IP ranges would protect their own networks in such a way that they do drop packets at their borders, when the source address is not from their own IP ranges. This would prevent not only the DNSSEC amplification attack, he was talking about, but also with other DNS requests and other UDP based public services (e.g. NTP). bye Fabian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists