On Tue, 19 Aug 2008, bert hubert wrote:
In fact, I'm so far not having luck getting around even my 3-year old primitive anti-spoofing behaviour.
Funny, that's not what Dan's talk said. PowerDNS specifically was trivial to spoof based on bogus query types, since PowerDNS dropped those packets and the evil guy could race without the good guy racing, and therefor always win and inject bogus records. You, like everyone else needed to patch against one of Dan's attacks. So don't come with this "my 3 year old code was not vulnerable" thing just because you didn't have the same bug as bind. You had a different bug, which would have not been an issue if three years ago instead you had DNSSEC. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop