Current time: 11-23-2024, 08:25 AM Hello There, Guest! (LoginRegister)


Poll: Are you interested in DNSSEC support
Yes
No
doesn't matter
[Show Results]
 
Post Reply 
DNSSEC
Author Message
Blondak Offline
Junior Member
*****
Dev Team

Posts: 84
Joined: May 2008
Reputation: 5
Post: #1
DNSSEC
Hi,
are you interested in DNSSEC support for bind9?
more about DNSSEC avaible at

http://www.dnssec.cz/
http://en.wikipedia.org/wiki/DNSSEC
(This post was last modified: 10-08-2008 09:53 PM by Blondak.)
10-08-2008 09:50 PM
Visit this user's website Find all posts by this user Quote this message in a reply
aseques Offline
Member
*****
Dev Team

Posts: 330
Joined: May 2008
Reputation: 4
Post: #2
RE: DNSSEC
At the moment, it doesn't seem to bring many benefits, and some important drawbacks.
Reading from the entry on the wikipedia:
Quote:DNSSEC introduces the ability for a hostile party to enumerate all the names in a zone by following the NSEC chain. NSEC RRs assert which names do not exist in a zone by linking from existing name to existing name along a canonical ordering of all the names within a zone. Thus, an attacker can query these NSEC RRs in sequence to obtain all the names in a zone. Although this is not an attack on the DNS itself, it could allow an attacker to map network hosts or other resources by enumerating the contents of a zone.

So unless bind9 or the server we are using has proven support for NSEC3, I would oppose to use it.
By the other hand, changing "allow recursion" to no by default in ispcp would disable any kown problem with DNS poisoning

cheers!
10-08-2008 10:43 PM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)