Current time: 11-23-2024, 12:59 PM Hello There, Guest! (LoginRegister)


Poll: Are you interested in DNSSEC support
Yes
No
doesn't matter
[Show Results]
 
Post Reply 
DNSSEC
Author Message
aseques Offline
Member
*****
Dev Team

Posts: 330
Joined: May 2008
Reputation: 4
Post: #2
RE: DNSSEC
At the moment, it doesn't seem to bring many benefits, and some important drawbacks.
Reading from the entry on the wikipedia:
Quote:DNSSEC introduces the ability for a hostile party to enumerate all the names in a zone by following the NSEC chain. NSEC RRs assert which names do not exist in a zone by linking from existing name to existing name along a canonical ordering of all the names within a zone. Thus, an attacker can query these NSEC RRs in sequence to obtain all the names in a zone. Although this is not an attack on the DNS itself, it could allow an attacker to map network hosts or other resources by enumerating the contents of a zone.

So unless bind9 or the server we are using has proven support for NSEC3, I would oppose to use it.
By the other hand, changing "allow recursion" to no by default in ispcp would disable any kown problem with DNS poisoning

cheers!
10-08-2008 10:43 PM
Find all posts by this user Quote this message in a reply
Post Reply 


Messages In This Thread
DNSSEC - Blondak - 10-08-2008, 09:50 PM
RE: DNSSEC - aseques - 10-08-2008 10:43 PM

Forum Jump:


User(s) browsing this thread: 1 Guest(s)