This is a discussion on Re: correction! Re: The math of RFC3833.2.2-spoofing a randomisingsource port resolver - DNS ; Paul Vixie wrote: >>>my position hasn't changed. has yours? >> >>You should change your posision now. > that's what you said ten years ago, too. let me caution you now, as then, > against any attempt at "proof by vigorous ...
Paul Vixie wrote:
>>>my position hasn't changed. has yours?
>>You should change your posision now.
> that's what you said ten years ago, too. let me caution you now, as then,
> against any attempt at "proof by vigorous reassertion."
The bitter reality for you is that, if you admitted your mistake 10 years
ago, Kaminsky couldn't have used glue-A for his attack.
Kaminsky's originality beyond rfc3833 is to have provided a yet another
proof that your authority model is broken.
> i've demonstrated
> (again) that your proposed solution is more complex than what everybody now
That many people are using a broken authority model means they
> i agree with florian's answer to this, where he said that the additional
> data section is mostly useless. i agree with your proposed policy, as
> stated above. the only A or AAAA RRs that should be sent or accepted in
> the additional data section are those which (a) referenced by an NS RR
> in the authority or answer sections, and (b) having owner names at or below
> the owner name of the NS RRset who references them.
Totally wrong. I never proposed such a broken policy.
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.