Re: BIND update?



Mark Boolootian writes:

Everyone that uses the Internet depends on the security of DNS.

That's too bad, because DNS never made any security guarantees. When you ask
to resolve www.google.com, the answer does not mean "www.google.com is on
the network at 74.125.19.104." It means "As far as we can tell at the
moment, www.google.com might be on the network at 74.125.19.104, or that
might be a total lie. Good luck! P.S.: Lying is very easy."

There are no guarantees of authentication, authorization, or integrity.

When I need to verify the identity of a host (really, the identity of an
application server -- which is more relevant anyway), I use things like SSL
certificates and SSH host keys.

After all, you were going to need authentication and integrity -- and likely
confidentiality, too -- at the application layer anyway. Right?

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"