nanog mailing list archives
Re: Hey, SiteFinder is back, again...
From: Mark Andrews <Mark_Andrews () isc org>
Date: Tue, 06 Nov 2007 13:34:58 +1100
Mark, On Nov 5, 2007, at 5:31 PM, Mark Andrews wrote:All you have to do is move the validation to a machine you control to detect this garbage.You probably don't need to bother with DNSSEC validation to stop the Verizon redirection. All you need do is run a caching server.
Yep.
dnssec-enable yes; dnssec-validation yes; forward only; forwarders { <Verizon's caching servers>; };Why bother forwarding?
It was just to prove that you could detect this coming out of a ISP's servers.
dnssec-lookaside . trust-anchor <dlv registry>;You forgot the bit where everybody you want to do a DNS lookup on signs (and maintains) their zones and trusts and registers with <dlv registry> (of which there is exactly one that I know of and that one has 17 entries in it the last I looked). You also didn't mention that everyone doing this will reference the DLV registry on every non- cached lookup. Puts a _lot_ of trust (both security wise and operationally) in <dlv registry>...
There are also other lists of trust anchors. With 17 entries there arn't a lot of queries that need to be made to have the entire name space covered by cached NSEC records which DLV will use.
All lookups which Verizon has interfered with from signed zones will fail.Yeah, and Verizon customers would get a timeout (after how long?) instead of a more quickly returned A (or maybe a AAAA) RR to a Verizon controlled search engine. Not really sure the cure is better than the disease.
But then you can log a complaint that DNSSEC doesn't work using their caching resolvers. Or this just gives you the heads up to find the web form to change the servers returned by DHCP. There is contributed code to do this linkage for BIND. Or to manually update the forwarders. i.e. it's useful for those who use ISP's that havn't yet gone over to the dark side. :-)
Also not sure what the point is -- most common typos are already squatted upon and validly registered to a adsense pay-per-click web page, typically a search engine (e.g., www.baknofamerica.com). Seems to me the slimeballs have won yet again...
That's a different issue on a different battle front. Mark
Regards, -drc
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews () isc org
Current thread:
- Re: Hey, SiteFinder is back, again..., (continued)
- Re: Hey, SiteFinder is back, again... David Conrad (Nov 05)
- Re: Hey, SiteFinder is back, again... Tim Wilde (Nov 05)
- Re: Hey, SiteFinder is back, again... Bora Akyol (Nov 05)
- Re: Hey, SiteFinder is back, again... David Conrad (Nov 05)
- Re: Hey, SiteFinder is back, again... Eliot Lear (Nov 05)
- Re: Hey, SiteFinder is back, again... Christopher Morrow (Nov 05)
- Re: Hey, SiteFinder is back, again... Steven M. Bellovin (Nov 06)
- Re: Hey, SiteFinder is back, again... Barry Shein (Nov 06)
- Re: Hey, SiteFinder is back, again... Mark Andrews (Nov 05)
- Re: Hey, SiteFinder is back, again... David Conrad (Nov 05)
- Re: Hey, SiteFinder is back, again... Mark Andrews (Nov 05)
- Re: Hey, SiteFinder is back, again... David Conrad (Nov 05)
- Re: Hey, SiteFinder is back, again... Stephane Bortzmeyer (Nov 05)
- Re: Hey, SiteFinder is back, again... D'Arcy J.M. Cain (Nov 05)
- Re: Hey, SiteFinder is back, again... Stefan Bethke (Nov 05)
- RE: Hey, SiteFinder is back, again... Frank Bulk - iNAME (Nov 06)
- Re: Hey, SiteFinder is back, again... Patrick W. Gilmore (Nov 05)
- Re: Hey, SiteFinder is back, again... Bill Stewart (Nov 05)
- Re: Hey, SiteFinder is back, again... Andrew Sullivan (Nov 05)
- Re: Hey, SiteFinder is back, again... Sean Donelan (Nov 04)
- Re: Hey, SiteFinder is back, again... Steven M. Bellovin (Nov 04)