Re: correction! Re: The math of RFC3833.2.2-spoofing a randomisingsource port resolver

Paul Vixie wrote:
[color=blue][color=green][color=darkred]
>>>my position hasn't changed. has yours?[/color]
>>
>>You should change your posision now.[/color][/color]
[color=blue]
> that's what you said ten years ago, too. let me caution you now, as then,
> against any attempt at "proof by vigorous reassertion."[/color]

The bitter reality for you is that, if you admitted your mistake 10 years
ago, Kaminsky couldn't have used glue-A for his attack.

Kaminsky's originality beyond rfc3833 is to have provided a yet another
proof that your authority model is broken.
[color=blue]
> i've demonstrated
> (again) that your proposed solution is more complex than what everybody now
> does[/color]

That many people are using a broken authority model means they
are insecure.
[color=blue]
> i agree with florian's answer to this, where he said that the additional
> data section is mostly useless. i agree with your proposed policy, as
> stated above. the only A or AAAA RRs that should be sent or accepted in
> the additional data section are those which (a) referenced by an NS RR
> in the authority or answer sections, and (b) having owner names at or below
> the owner name of the NS RRset who references them.[/color]

Totally wrong. I never proposed such a broken policy.

Masataka Ohta


--
to unsubscribe send a message to [email]namedroppers-request@ops.ietf.org[/email] with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>