Jim Reid wrote:
> The fact is DNSSEC is the *only* game in town for preventing cache
> poisoning.
Not at all.
If a caching server is not required to perform public key computation
to verify RRs before caching, cache poisoning won't be detected by
the caching server, average clients of which suffer from long lasting
DOS of DNSSEC verification failure, turn off DNSSEC and will be a
victim of another poisoning on their own cache.
A property of Kaminsky's attack that it is effective against a single
target is useful, here.
If a caching server is required to perform public key computation to
verify RRs before caching, it can't support much clients and will be
a so easy victim of DDOS. Average clients of it turn off DNSSEC and ...
Or, an average administrator of the server turns off DNSSEC.
Masataka Ohta
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
