BIND update?
Chris Palmer
chris at noncombatant.org
Thu Jul 10 00:27:49 UTC 2008
Mark Boolootian writes:
> Everyone that uses the Internet depends on the security of DNS.
That's too bad, because DNS never made any security guarantees. When you ask
to resolve www.google.com, the answer does not mean "www.google.com is on
the network at 74.125.19.104." It means "As far as we can tell at the
moment, www.google.com might be on the network at 74.125.19.104, or that
might be a total lie. Good luck! P.S.: Lying is very easy."
There are no guarantees of authentication, authorization, or integrity.
When I need to verify the identity of a host (really, the identity of an
application server -- which is more relevant anyway), I use things like SSL
certificates and SSH host keys.
After all, you were going to need authentication and integrity -- and likely
confidentiality, too -- at the application layer anyway. Right?
More information about the freebsd-security
mailing list