On Mon, 11 Aug 2008 10:44:29 -0700, "Bryan Irvine" <[EMAIL PROTECTED]> wrote: > or DNSSEC :-)
Yeah, I'm just reading up on DNSSEC, though it seems like that is a much more involved solution, requiring a lot more work to get out. This would be a stop-gap methodology to prevent brute force cache poisoning attacks. On Mon, 11 Aug 2008 12:56:15 -0500 (CDT), "Jeremy C. Reed" <[EMAIL PROTECTED]> wrote: > Hi James, I guess I am missing something from this. How would it know this > "correct matching answer"? > > Also a "signature-type resource record" is already available and is used > by some. What I mean is, if you request <HASH>.domain.name as a second question along with, ie. www.domain.name, the server will send you back the answer (either as NXDOMAIN or a signature resource record if it had it). Someone trying to forge the response would have to see the original request to know what the hash was in the original question (otherwise the question/answer wouldn't match up and the response would be discarded). -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
