nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS cache poisoning attacks -- are they real?

From: Joe Abley <jabley () isc org>
Date: Sat, 26 Mar 2005 19:32:18 -0500


Le 26 mars 2005, à 17:52, Sean Donelan a écrit :


You forgot the most important requirement, you have to be using
insecure, unpatched DNS code (old versions of BIND, old versions of
Windows, etc). If you use modern DNS code and which only follows
trustworthy pointers from the root down, you won't get hooked by
this.
The obvious rejoinder to this is that there are no trustworthy pointers from the root down (and no way to tell if the root you are talking to contains genuine data) unless all the zones from the root down are signed with signatures you can verify and there's a chain of trust to accompany each delegation.
If you don't have cryptographic signatures in the mix somewhere, it all boils down to trusting IP addresses. 


Joe
Previous By Date Next
Previous By Thread Next

Current thread: