On Tue, Sep 10, 2013 at 07:14:04PM +0300, Haya Shulman <[email protected]> wrote a message of 187 lines which said:
> > the trouble with randomizing the IPID is that this would require > > kernel-level patches (as opposed to just DNS server software > > upgrade), I believe. This makes it somewhat harder to deploy. > > > > Can you please extend? In particular, why is it more difficult (and > how much more difficult is it) to deploy by distributing a kernel > patch? Sociological reasons: it's a different bunch of people. On this list, you have many (most?) of the persons who actually write DNS software. You can get in touch with them and convince them. Kernel people are a different crowd, quite separate. Practical reasons: people hesitate more to change the kernel (because it can lead to various trouble, difficult to fix, specially remotely) than to change the DNS server (where you can always backtrack, in the worst case). Security researchers seem to always think that patching software is simple. Operations people know otherwise. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
