6 Aug
2009
6 Aug
'09
6:06 a.m.
There are really two security problems here, which implies that two different methods might be necessary: 1) Authenticate the nameserver to the client (and so on up the chain to the root) in order to defeat the Kaminsky attack, man in the middle, IP-layer interference. (Are you who you say you are?) 2) Validate the information in the nameserver. (OK, so you're the nameserver; but who says www.google.com is 1.2.3.4?) 1) is the transport layer problem; 2) is the dnssec/zone signing problem.