nanog mailing list archives
Re: Blocking International DNS
From: Joe Abley <jabley () hopcount ca>
Date: Mon, 22 Nov 2010 10:48:10 -0500
On 2010-11-22, at 10:43, Joe Greco wrote:
It's funny, isn't it, didn't we just finish convincing the government of the need for DNSSEC, making the DNS system more resistant to some forms of tampering?
I guess if the manner of the interception was to send back SERVFAIL to DNS clients whose queries were (in some sense) objectionable, the result would be that the clients were not able to resolve the (in some sense) bad names. This would in effect be a selective denial of service attack to DNS clients. DNSSEC provides no integrity protection over that type of interference -- you need to get an answer for the answer to have a signature, and without a signature there's nothing to check. Joe
Current thread:
- Blocking International DNS Marshall Eubanks (Nov 19)
- Re: Blocking International DNS ML (Nov 22)
- Re: Blocking International DNS Jeffrey S. Young (Nov 22)
- Re: Blocking International DNS Jeffrey Lyon (Nov 22)
- Re: Blocking International DNS Joe Abley (Nov 22)
- Re: Blocking International DNS Owen DeLong (Nov 22)
- Re: Blocking International DNS Joe Greco (Nov 22)
- Re: Blocking International DNS Joe Abley (Nov 22)
- Re: Blocking International DNS Dobbins, Roland (Nov 22)
- Re: Blocking International DNS Wil Schultz (Nov 22)
- Re: Blocking International DNS Joe Sniderman (Nov 22)
- Re: Blocking International DNS Jeffrey S. Young (Nov 22)
- Re: Blocking International DNS ML (Nov 22)
- Re: Blocking International DNS Curtis Maurand (Nov 22)
- Re: Blocking International DNS Joe Abley (Nov 22)
- Re: Blocking International DNS Ken Chase (Nov 22)
- Re: Blocking International DNS Jeffrey Lyon (Nov 22)
- Re: Blocking International DNS Ken Chase (Nov 29)
- Re: Blocking International DNS Jeffrey Lyon (Nov 29)
- Re: Blocking International DNS Ken Chase (Nov 29)