This is a discussion on Re: DNS Blackhole attack - DNS ; On Sun, 6 Mar 2005, Masataka Ohta wrote: > Dean Anderson wrote: > > > On Sat, 5 Mar 2005, Hallam-Baker, Phillip wrote: > > > >>This just appeared on the SANS list. Time to stop arguing and get DNSSEC ...
On Sun, 6 Mar 2005, Masataka Ohta wrote:
> Dean Anderson wrote:
> > On Sat, 5 Mar 2005, Hallam-Baker, Phillip wrote:
> >>This just appeared on the SANS list. Time to stop arguing and get DNSSEC
> > I've not been testing DNSSEC, but I understand it requires TCP. So, DNSSEC
> > cannot be deployed on root servers, due to large number of root servers
> > using anycast, and anycast conflict with the DNSSEC's TCP requirements.
> That is not a valid reason to avoid DNSSEC. Anycast does work with
> short-lived TCP.
Uhh, no, it doesn't. Not when Per-packet-load-balancing (PPLB) is used
Cisco has been shipping PPLB for a while now. Its been tested: PPLB works
on BGP links, and it works on OSPF links. Its not just external paths you
need to worry about. If you have OSPF internal network using PPLB, and
the internal paths lead to different external peer interfaces, then
packets could hit different anycast root servers on a per-packet basis. So
TCP won't work to them.
This was discussed at length some little while back. The notion that
short-lived tcp can work over anycast is wrong.
> However, the security problem, here, is not inherent to DNS but
> is caused by poor implementation of it, which is why we MUST
> avoid DNSSEC which is a lot more complex than DNS and is
> assured to make its implementations poor and insecure.
I don't agree the security problem DNS is a due to implementation bugs.
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000
to unsubscribe send a message to firstname.lastname@example.org with
the word 'unsubscribe' in a single line as the message text body.