SAD DNS cache poisoning attack
Bjørn Mork
bjorn at mork.no
Mon Nov 16 02:21:33 EST 2020
Michael Richardson <mcr+ietf at sandelman.ca> writes:
> better if dnsmasq just implemented https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
> which alas, has never become an RFC, AFAIK.
Does dnsmasq use cookies? Ref https://tools.ietf.org/html/rfc7873
That pretty solves the cache poisoning problem, and should be supported
by most of the authoritative servers out there.
> Alternatively, DNSSEC was designed to deal with the entire gamut of DNS cache
> poisioning.
Sure, and let's have more of that. But realistically it is so hard to
use on the authoritative side that we'll never have full coverage, even
for the names we care about.
Bjørn
More information about the openwrt-devel
mailing list