On Tue, Aug 19, 2008 at 01:13:44PM -0400, Paul Wouters wrote: > On Tue, 19 Aug 2008, bert hubert wrote: > > >In fact, I'm so far not having luck getting around even my 3-year old > >primitive anti-spoofing behaviour. > > Funny, that's not what Dan's talk said. PowerDNS specifically was trivial to > spoof based on bogus query types, since PowerDNS dropped those packets and
You misunderstood Dan's talk in that case. See http://doc.powerdns.com/powerdns-advisory-2008-02.html for details. > one of Dan's attacks. So don't come with this "my 3 year old code was not > vulnerable" thing just because you didn't have the same bug as bind. You > had a different bug, which would have not been an issue if three years ago > instead you had DNSSEC. Perhaps I should explain myself better. The software I refer to has detected spoofing attempts in the past 3 years already, and acted on that. The software I refer to has further behaviour that, unintentionally, makes spoofing it very hard. Again - this is about TODAY. DNSSEC might be the end all solution but even if it is, it is not deployed widely today and it won't be 12 months from now. Countermeasures serve a function. Bert -- http://www.PowerDNS.com Open source, database driven DNS Software http://netherlabs.nl Open and Closed source services _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop