[SLL] who is randomizing DNS source ports? deploying DNSSEC?
Derek Simkowiak
dereks at realloc.net
Fri Jul 25 14:59:19 PDT 2008
I'm currently using OpenDNS, because my corporate clients want to
filter pr0n (mostly due to liability concerns). OpenDNS is infinitely
better than NetNanny (and similar), and it also protects Outlook users
from phishing domains. The web-based GUI tools are quick and easy, and
the price is right (it's free).
The CEO of OpenDNS says they will "never" support DNSSEC. From an
article titled "DNSSEC Is Dead, Stick a Fork in It":
(From http://www.eweek.com/c/a/Security/DNSSEC-Is-Dead-Stick-a-Fork-in-It/ )
Another brick wall in the way of DNSSEC is DNS providers in the real
world. OpenDNS is one of the largest DNS resolvers in the world, and CEO
David Ulevitch says they will never support DNSSEC (not that this will
be a problem for him, as he says they get absolutely no customer
interest in it).
Ulevitch says no major ISP would ever support DNSSEC because they don't
want to put lots of money into an infrastructure item that brings no
customer benefit or cost savings. Quite the contrary, DNSSEC would add a
major source of computational burden and complexity to the network. "If
DNSSEC were a stock symbol, I'd be shorting it," he says. Ulevitch
thinks the OpenDNS approach of looking at the actual content of the DNS
traffic does a lot more for security than DNSSEC has ever done.
---Derek
More information about the linux-list
mailing list