At 8:06 PM -0500 2003/10/02, Bill Weinman wrote:
Can you document that? I have not seen evidence of DNS spoofing in
email sufficient to warrant an extra burden on the whole system to
protect against it. If DNS is the problem, wouldn't DNS be a better
place to deal with it?
Over 50% of the ccTLD nameservers are open public
caching/recursive nameservers and vulnerable to cache
pollution/poisoning. Jon Postel accidentally poisoned the caches of
many of the nameservers on the net, and damn near took the whole
thing down. Eugene Kashpureff did the same thing in 1997, for
malicious reasons.
Hell, with companies like VeriSign/NetSOL putting up wildcard
records in gTLD zones and UltraDNS handing out bogus glue with the
"authoritative answer" set (not to mention their use of just two
exclusively anycast nameserver IP addresses), there's lots and lots
of danger here.
Most providers do not do edge filtering. Nor do they do bogon
filtering. Nor do they do anti-spoof protection. The result is that
spammers can boldly infect hundreds of thousands of machines across
the 'net, and then use them as a DDoS tool to take out RBL operators
with impunity. Even if people have collected the packets, traced the
lines, and know precisely who is sitting where doing what, the police
and the governments still won't do a damn fscking thing.
If there is a potential security hole that we can perceive today
and that we can reasonably address now, we should do so.
If we can help mitigate this by requiring certificates, then I'd
say we should require certificates.
--
Brad Knowles, <brad(_dot_)knowles(_at_)skynet(_dot_)be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg