Re: bind with DNSSEC finally released

Tue, 23 Mar 1999 10:19:35 -0500 

Why didn't you just do a type=ANY query to "." and find out?

The answer is, of course not.  The root servers are somewhat sensitive
and currently there are 13 of them because that is the maximum number
you can have without overflowing DNS UDP and requiring the much higher
number of packets needed for a DNS TCP retrieval.  Exactly how this is
going to play out is not clear.  The EDNS0 extension allows larger UDP
which could accomodate root level KEY and SIG RRs and EDNS0 is being
pushed through but just now fast it will be deployed is not clear.
Still, I claim every step improves DNS security.  There are all kinds
of interim possibilities such as resolvers installing an "NSI" key for
a while that authenticates everything in .com, .net, .org, and .edu...

There was a DNS Operations BoF at the last IETF and some of this may
be addressed by any resulting working group.

Thanks,
Donald

From:  Derek Atkins <[EMAIL PROTECTED]>
To:  Lucky Green <[EMAIL PROTECTED]>
Cc:  [EMAIL PROTECTED], [EMAIL PROTECTED]
References:  <002c01be7277$c02557a0$[EMAIL PROTECTED]>
Date:  22 Mar 1999 15:23:16 -0500
In-Reply-To:  Lucky Green's message of Fri, 19 Mar 1999 18:16:56 -0800
Message-Id:  <[EMAIL PROTECTED]>

>Having Bind 8.2 is only the first step.  Are the root servers actually
>supplying valid KEY and SIG RRs for the TLDs?
>
>-derek
>
>Lucky Green <[EMAIL PROTECTED]> writes:
>
>> 
>> Seems bind 8.2 with the long-awaited secure DNS fully integrated has finally
>> been released. Say goodbye to DNS spoofing. Since the included crypto is
>> meant to be used for authentication only and the licensing agreement
>> prohibits the use of the said crypto for non-authentication purposes, the
>> distribution is freely exportable. :-)
>> 
>> Install bind 8.2 on your DNS server today and permanently fix one of the
>> largest and longest-standing security holes on the Internet.
>> 
>> ftp://ftp.isc.org/isc/bind/src/8.2/
>> 
>> --Lucky Green <[EMAIL PROTECTED]>
>>   PGP 5.x  encrypted email preferred
>> 
>> 
>
>-- 
>       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>       Member, MIT Student Information Processing Board  (SIPB)
>       URL: http://web.mit.edu/warlord/      PP-ASEL      N1NWH
>       [EMAIL PROTECTED]                        PGP key available
>

Reply via email to