On Wed, Feb 20, 2013 at 08:48:19AM +0100,
Jan-Piet Mens jpmens@gmail.com wrote
a message of 12 lines which said:
FYI, a paper (Feb 2013) titled Defending against DNS reflection
amplification attacks at [1].
Very good paper, highly recommended.
I was surprised they did not test NSD+RRL
On Feb 22, 2013, at 2:58 AM, Stephane Bortzmeyer bortzme...@nic.fr wrote:
they keep pretending that the DNS attack in Brazil was cache poisoning, while
it has been widely documented for a long time
http://www.securelist.com/en/blog/208193852/The_tale_of_one_thousand_and_one_DSL_modems.
I
Warren,
On Feb 22, 2013, at 7:42 AM, Warren Kumari war...@kumari.net wrote:
http://dnssec-deployment.org/pipermail/dnssec-deployment/2012-July/006003.html
Thanks! Missed that message somehow.
BIND 4.8.anything in 2010? I weep for humanity.
Regards,
-drc
David Conrad d...@virtualized.org wrote:
Has there been any documented attack that would have been prevented by
DNSSEC that one can point to?
DigiNotar's bogus Google certificate would not have worked with DANE.
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
Forties, Cromarty:
* David Conrad [2013-02-22 16:18]:
Has there been any documented attack that would have been prevented by DNSSEC
that one can point to?
This paper describes a censorship attack which could be mitigated by DNSSEC:
http://conferences.sigcomm.org/sigcomm/2012/paper/ccr-paper266.pdf
Regards,
Matt
On Feb 22, 2013, at 4:04 AM, Paul Vixie p...@redbarn.org wrote:
at which point it's easier to fix source address validation and make THAT
universal. which we already know can't be done.
Don't confuse won't with can't. It absolutely can be done. It won't be done
because the carriers see profit
On 22 Feb 2013, at 17:55, Jo Rhett jrh...@netconsonance.com wrote:
Don't confuse won't with can't. It absolutely can be done.
With sufficient thrust, even pigs can fly.
There's no point arguing the semantics of don't and can't. As Paul
mentioned earlier, let's remain realistic. Universal
On 2013-02-22, at 13:55, Jo Rhett jrh...@netconsonance.com wrote:
On Feb 22, 2013, at 4:04 AM, Paul Vixie p...@redbarn.org wrote:
at which point it's easier to fix source address validation and make THAT
universal. which we already know can't be done.
Don't confuse won't with can't. It
* Tony Finch wrote:
DigiNotar's bogus Google certificate would not have worked with DANE.
But the errornous transfer of ebay.de would create a deasaster with DANE.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
From: Joe Abley jab...@hopcount.ca
If you can describe BCP38 deployment in a non-trivial network such
that deployment is to the benefit of shareholders and non-deployment
is not, I'm all ears. Absent regulation and punitive fines for
non-compliance, I don't see it.
Civil lawsuits by victims
From: Lutz Donnerhacke l...@iks-jena.de
But the errornous transfer of ebay.de would create a deasaster with DANE.
In what way would DANE make the theft of a domain worse?
Without DANE, the new possessor of a domain need only get SMTP working,
create a new cert, apply for signature for a new
On Feb 22, 2013, at 10:19 AM, Jim Reid j...@rfc1035.com wrote:
There's no point arguing the semantics of don't and can't. As Paul
mentioned earlier, let's remain realistic. Universal deployment of BCP38
simply isn't going to happen, no matter how much you or I *really want* that.
[And I
On Feb 22, 2013, at 10:22 AM, Joe Abley jab...@hopcount.ca wrote:
- big companies with staff who care about BCP38 have likely already deployed
it;
No. I've had this conversation many times and employees of big companies feel
that it's impossible, and don't even raise the issue with their
Civil lawsuits by victims of DNS reflection and other attacks that
depend on failures to deploy BCP38 might help convince boards of
directors.
as will black helicopters. can we stick to reality as we actually
experience it? it is the reality on which the management, of which
joe spoke so
On Fri, Feb 22, 2013 at 07:42:17PM +, Vernon Schryver wrote:
From: Lutz Donnerhacke l...@iks-jena.de
But the errornous transfer of ebay.de would create a deasaster with DANE.
In what way would DANE make the theft of a domain worse?
On top of all the excellent points Vernon makes
On Fri, Feb 22, 2013 at 10:19 AM, Jim Reid j...@rfc1035.com wrote:
The financial and legal incentives for adopting BCP38 aren't there and almost
certainly never will be. This doesn't of course mean we should stop efforts
to find those incentives. Or give up on encouraging wider BCP38
Colm MacCárthaigh (colm) writes:
Are there ways that neutral third parties (Cymru and Caida come to
mind) could maintain lists of networks that don't enforce BCP38?
Not likely - there is an existing project to collect these kind of
stats:
http://spoofer.cmand.org/
Are there CA vendors who give out EV certificates for $fee + answer the
e-mail? I know you can get basic SSL certs simply by answering the
e-mail from the CA.
Not that look for the green bar is going to be a whole lot more
successful than Don't say yes to security exceptions you don't
On Feb 22, 2013, at 12:04 PM, Randy Bush ra...@psg.com wrote:
Civil lawsuits by victims of DNS reflection and other attacks that
depend on failures to deploy BCP38 might help convince boards of
directors.
as will black helicopters. can we stick to reality as we actually experience
it?
Civil lawsuits by victims of DNS reflection and other attacks that
depend on failures to deploy BCP38 might help convince boards of
directors.
Having been a witness in two of these lawsuits,
cites, please
randy
___
dns-operations mailing list
On Feb 22, 2013, at 2:09 PM, Randy Bush ra...@psg.com wrote:
Civil lawsuits by victims of DNS reflection and other attacks that
depend on failures to deploy BCP38 might help convince boards of
directors.
Having been a witness in two of these lawsuits,
cites, please
That's a great request
At 09:26 22-02-2013, Matthäus Wander wrote:
This paper describes a censorship attack which could be mitigated by DNSSEC:
http://conferences.sigcomm.org/sigcomm/2012/paper/ccr-paper266.pdf
See https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005343.html
Regards,
-sm
Below:
On Fri, Feb 22, 2013 at 11:45 AM, Jo Rhett jrh...@netconsonance.com wrote:
On Feb 22, 2013, at 10:19 AM, Jim Reid j...@rfc1035.com wrote:
There's no point arguing the semantics of don't and can't. As Paul
mentioned earlier, let's remain realistic. Universal deployment of BCP38
Are you willing to also help us do the hard work to do the right thing?
I'm pretty sure the answer is Yes.
So let's get busy, and stop finding reasons not to do the Right Thing.
- ferg
you may have a problem with your mail system. it seems to be re-sending
messages from a decade ago,
On Fri, Feb 22, 2013 at 7:13 PM, Randy Bush ra...@psg.com wrote:
Are you willing to also help us do the hard work to do the right thing?
I'm pretty sure the answer is Yes.
So let's get busy, and stop finding reasons not to do the Right Thing.
- ferg
you may have a problem with your mail
On Fri, Feb 22, 2013 at 7:38 PM, Randy Bush ra...@psg.com wrote:
one urban definition of insanity is repeating the same thing expecting
different results.
i do not disagree with bcp38. i just don't think repeating that anyone
who does not deploy it is an anti-internet asshole is going to
26 matches
Mail list logo