On Mon, 11 Aug 2008, James Cammarata wrote: > My solution would be as follows: whenever a DNS server issues a recursive > query request, add a second question. This question could take several > forms, it could be for a bogus sub-domain, or just some randomly generated > hash. If the DNS protocol were extended to allow a new signature-type > resource record (a long run, I know), the replying server would essentially > just echo back the question (or if it were done today you'd get NXDOMAIN > back). Either way, this would prevent a cache poisoning flood attack, > since only the actual server questioned would have the correct matching > answer.
Hi James, I guess I am missing something from this. How would it know this "correct matching answer"? Also a "signature-type resource record" is already available and is used by some.
