My recommendation - upgrade your NAT. regards joe baptista
On Sun, Mar 7, 2010 at 3:06 AM, George Barwood < [email protected]> wrote: > I have been wondering about this. > > For a resolver behind a NAT firewall that removes port randomization, > it is possible for an attacker to spoof the priming query ( only 16 bits of > ID protection ). > > If root-servers.net is unsigned, it's not possible for the resolver to > validate > the set of root IP addresses, meaning that > > (a) An attacker can control every unsigned zone. > > (b) An attacker can monitor every request to a signed zone ( no privacy ). > > (c) An attacker can deny service to any zone, on a selective basis. > > Apparently there are currently no plans to sign root-servers.net > > The main argument against seems to be that the priming query > response size (with DO=1) would be greatly increased. > > Any thoughts? > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop > >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
