Re: BIND update?

Mark Boolootian writes:

Everyone that uses the Internet depends on the security of DNS.

That's too bad, because DNS never made any security guarantees. When you ask
to resolve, the answer does not mean " is on
the network at" It means "As far as we can tell at the
moment, might be on the network at, or that
might be a total lie. Good luck! P.S.: Lying is very easy."

There are no guarantees of authentication, authorization, or integrity.

When I need to verify the identity of a host (really, the identity of an
application server -- which is more relevant anyway), I use things like SSL
certificates and SSH host keys.

After all, you were going to need authentication and integrity -- and likely
confidentiality, too -- at the application layer anyway. Right?

freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"