Re: BIND update?



Mark Boolootian writes:

Everyone that uses the Internet depends on the security of DNS.

That's too bad, because DNS never made any security guarantees. When you ask
to resolve www.google.com, the answer does not mean "www.google.com is on
the network at 74.125.19.104." It means "As far as we can tell at the
moment, www.google.com might be on the network at 74.125.19.104, or that
might be a total lie. Good luck! P.S.: Lying is very easy."

There are no guarantees of authentication, authorization, or integrity.

When I need to verify the identity of a host (really, the identity of an
application server -- which is more relevant anyway), I use things like SSL
certificates and SSH host keys.

After all, you were going to need authentication and integrity -- and likely
confidentiality, too -- at the application layer anyway. Right?

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • RE: Wireless Security Notes and Findings (from this list and other places)
    ... There are two general areas of wireless security: Authentication and ... authentication standard that works with wireless networks. ... client computer runs a client program to connect to the network with a ...
    (Security-Basics)
  • Re: IP address assignment problem
    ... I have a little problem and seek for ur thoughts, let's assume I'm in a very open environment where everyone can very easily try to get his/her laptop on the network and IP addresses are assigned by a DHCP server and we are in a domain environment, how do I prevent machines that are not part of our domain to be assigned an IP address? ... This approach doesn't stop your rogue clients from connecting to other clients, but merely doesn't give them the information they normally need to do so. ... Using 802.1x, your workstations authenticate through the switch to a radius server before they are allowed any connectivity. ... This authentication can use X.509 certificates, computer account credentials from AD, or whatever else you'd normally configure radius to authenticate with. ...
    (Focus-Microsoft)
  • Re: Kerberos machine authentication - apparent authentication failures
    ... When you joined your computer to the domain your wireless network card was ... denied access until you can authenticate to a domain controller as a user. ... While kerberos is the default authentication protocol of choice, ...
    (microsoft.public.windows.server.security)
  • RE: 802.1x, Computers, Wired Security
    ... client to use EAP-TLS. ... Authentication-Provider = Windows ... Wired 802.1X Authentication failed. ... Network Adapter: Broadcom NetXtreme Gigabit Ethernet - Packet Scheduler ...
    (microsoft.public.windows.server.active_directory)
  • Re: IIS 6.0 and 401.2 and 401.1 Errors
    ... > authentication -- client and server first negotiate authentication that ... > So, if you see repeated 401.2 for the same resource from the same client, ... > authenticated connection and instead RENEGOTIATING a new connection. ... > You can easily verify this by installing "Network Monitor" from Windows ...
    (microsoft.public.inetserver.iis)