Noone in the security field has any right to expect any implementation of DNS to be secure until DNSSEC is widely implemented.
this statement bothers me. certainly without DNSSEC there can be no *assurances* of security, but there is a gaping chasm between the current system and DNSSEC that could be closed significantly with proper design. simply stating that until DNSSEC arrives these attacks are going to be allowed is a copout. ben
I'm sorry if something I said misled you to believe otherwise.
So BIND 8.1.1 is NOT "immune" to the poisoned resource-record attack? I ask because you specifically stated that it was. Sorry to nag, I'd just like to see this clarified to the operations community.
Again, thanks for your time and patience!
---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- "If you're so special, why aren't you dead?"