nanog mailing list archives

Re: what if...?

From: Michael Sinatra <michael () rancid berkeley edu>
Date: Tue, 20 Dec 2011 09:46:11 -0800

On 12/20/11 09:31, Valdis.Kletnieks () vt edu wrote:

On Tue, 20 Dec 2011 17:16:06 GMT, bmanning () vacation karoshi com said:

        the one difference is that ISC will be shipping RPZ enabled code v.
        the blackhat having to hack the machine and modify the configuration.


EIther way, the blackhat still has to hack the machine and modify the config.
The only difference is what config change they make.


Yes and...

If you have a really insecure DDNS update mechanism on your master RPZzone, then I can see how RPZ might lower the bar *a little*, but I haveto stretch my imagination quite a bit for that to happen.

If your ISP doesn't use RPZ (regardless of whether the code is presentin BIND), then the bad guy has to hack the box, set up an RPZconfiguration, and then pollute it with bad data. Much easier to justinstall a bunch of fake zones.


RPZ is a red herring here.

michael

Current thread:

what if...? Eduardo A. Suárez (Dec 20)
- RE: what if...? Matlock, Kenneth L (Dec 20)
- Re: what if...? Valdis . Kletnieks (Dec 20)
  - Re: what if...? bmanning (Dec 20)
  - Message not available
    - Re: what if...? Valdis . Kletnieks (Dec 20)
    - Re: what if...? Michael Sinatra (Dec 20)
- Re: what if...? Jared Mauch (Dec 20)
  - Re: what if...? Christian de Larrinaga (Dec 20)
    - Re: what if...? Seth Mattinen (Dec 20)
    - Message not available
    - Re: what if...? Seth Mattinen (Dec 20)
- Re: what if...? Marshall Eubanks (Dec 20)
  - Re: what if...? Jeroen van Aart (Dec 22)
    - Re: what if...? Steven Bellovin (Dec 22)
- Re: what if...? Ken Gilmour (Dec 20)
- Re: what if...? Mark Andrews (Dec 20)