nanog mailing list archives
Re: Hey, SiteFinder is back, again...
From: David Conrad <drc () virtualized org>
Date: Mon, 5 Nov 2007 18:16:58 -0800
Mark, On Nov 5, 2007, at 5:31 PM, Mark Andrews wrote:
All you have to do is move the validation to a machine you control to detect this garbage.
You probably don't need to bother with DNSSEC validation to stop the Verizon redirection. All you need do is run a caching server.
dnssec-enable yes; dnssec-validation yes; forward only; forwarders { <Verizon's caching servers>; };
Why bother forwarding?
dnssec-lookaside . trust-anchor <dlv registry>;
You forgot the bit where everybody you want to do a DNS lookup on signs (and maintains) their zones and trusts and registers with <dlv registry> (of which there is exactly one that I know of and that one has 17 entries in it the last I looked). You also didn't mention that everyone doing this will reference the DLV registry on every non- cached lookup. Puts a _lot_ of trust (both security wise and operationally) in <dlv registry>...
All lookups which Verizon has interfered with from signed zones will fail.
Yeah, and Verizon customers would get a timeout (after how long?) instead of a more quickly returned A (or maybe a AAAA) RR to a Verizon controlled search engine. Not really sure the cure is better than the disease. Also not sure what the point is -- most common typos are already squatted upon and validly registered to a adsense pay-per-click web page, typically a search engine (e.g., www.baknofamerica.com). Seems to me the slimeballs have won yet again...
Regards, -drc
Current thread:
- Re: Hey, SiteFinder is back, again..., (continued)
- Re: Hey, SiteFinder is back, again... Steven M. Bellovin (Nov 05)
- Re: Hey, SiteFinder is back, again... David Conrad (Nov 05)
- Re: Hey, SiteFinder is back, again... Tim Wilde (Nov 05)
- Re: Hey, SiteFinder is back, again... Bora Akyol (Nov 05)
- Re: Hey, SiteFinder is back, again... David Conrad (Nov 05)
- Re: Hey, SiteFinder is back, again... Eliot Lear (Nov 05)
- Re: Hey, SiteFinder is back, again... Christopher Morrow (Nov 05)
- Re: Hey, SiteFinder is back, again... Steven M. Bellovin (Nov 06)
- Re: Hey, SiteFinder is back, again... Barry Shein (Nov 06)
- Re: Hey, SiteFinder is back, again... Mark Andrews (Nov 05)
- Re: Hey, SiteFinder is back, again... David Conrad (Nov 05)
- Re: Hey, SiteFinder is back, again... Mark Andrews (Nov 05)
- Re: Hey, SiteFinder is back, again... David Conrad (Nov 05)
- Re: Hey, SiteFinder is back, again... Stephane Bortzmeyer (Nov 05)
- Re: Hey, SiteFinder is back, again... D'Arcy J.M. Cain (Nov 05)
- Re: Hey, SiteFinder is back, again... Stefan Bethke (Nov 05)
- RE: Hey, SiteFinder is back, again... Frank Bulk - iNAME (Nov 06)
- Re: Hey, SiteFinder is back, again... Patrick W. Gilmore (Nov 05)
- Re: Hey, SiteFinder is back, again... Bill Stewart (Nov 05)
- Re: Hey, SiteFinder is back, again... Andrew Sullivan (Nov 05)
- Re: Hey, SiteFinder is back, again... Sean Donelan (Nov 04)