* Jack Lloyd: > Perhaps there is something subtle here that is more dangerous than the > well known problems, and all these source port randomization and > transaction id randomization fixes are just a smokescreen of sorts for > a fix for something Dan found.
It's not a smokescreen, it's a statistical workaround. CERT/CC mentions this: | It is important to note that without changes to the DNS protocol, such | as those that the DNS Security Extensions (DNSSEC) introduce, these | mitigations cannot completely prevent cache poisoning. <http://www.kb.cert.org/vuls/id/800113> > A statement from the MaraDNS author [3]: > > """ > MaraDNS is immune to the new cache poisoning attack. I think the CERT/CC statement is more approriate. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
