Noone in the security field has any right to expect any implementation of
DNS to be secure until DNSSEC is widely implemented.
I'm sorry if something I said misled you to believe otherwise.
So BIND 8.1.1 is NOT "immune" to the poisoned resource-record attack? I
ask because you specifically stated that it was. Sorry to nag, I'd just
like to see this clarified to the operations community.
Again, thanks for your time and patience!
> Noone in the security field has any right to expect any implementation of
> DNS to be secure until DNSSEC is widely implemented.
this statement bothers me. certainly without DNSSEC there can be no
*assurances* of security, but there is a gaping chasm between the current
system and DNSSEC that could be closed significantly with proper design.
simply stating that until DNSSEC arrives these attacks are going to be
allowed is a copout.
ben
[...] but there is a gaping chasm between the current
system and DNSSEC that could be closed significantly with proper design.
Well, in the words of internet, fidonet, and other developers worldwide....
Send Code <tm>
If you have "proper design" that significantly closes the holes, I'm sure
we'd all, Mr. Vixie included, appreciate your patch files which
illustrate proper design.
simply stating that until DNSSEC arrives these attacks are going to be
allowed is a copout.
Simply stating that there's a better way without Sending Code is a copout.
yes, how dare i not say a word about a problem before fixing it? what
scum i am.
gimme a break.
I realize I'm dragging this on, and I apologize, but:
It's totally valid to report a problem that affects the operations
community without providing a fix. Knowledge of the fact that a problem
exists is valuable, even without a cookbook resolution.
In this case, a few people (some not on this list) would like the
operations community to realize that there are, in fact, some very doable
attacks that remain unaddressed by BIND 8.1.1.
Sure, smart guy. And there are also issues with IP packets
which are passed across untrusted nodes in the Internet.
What exactly is your point?
- paul
this statement bothers me. certainly without DNSSEC there can be no
*assurances* of security,
While there are often assurances of security, there can never be assurance
of security.
there is a gaping chasm between the current system and DNSSEC that could
be closed significantly with proper design.simply stating that until DNSSEC arrives these attacks are going to be
allowed is a copout.
Send code.
randy
Ahem.
Yes, reporting a problem you can't personally fix is acceptable.
Casting asparagus upon the design of code other people have written
because it has those problems, however, is another matter. Given that
the author thereof is known to be on the list, it's tantamount to a
personal attack... which is off-topic, per point 6 of the AUP. 
My turn: this is off-topic. Please move it to bind-workers, or some
other acceptable forum. (I don't mean you, Paul, I mean Messrs. Black
and Ptacek.)
Cheers,
-- jra