nanog mailing list archives

Re: what if...?

From: Mark Andrews <marka () isc org>
Date: Wed, 21 Dec 2011 09:06:05 +1100


In message <20111220133723.cfjv8g999ssoc8gg () fcaglp fcaglp unlp edu ar>, "Eduard
o A. =?iso-8859-1?b?U3XhcmV6?=" writes:

Hi,

what if evil guys hack my mom ISP DNS servers and use RPZ to redirect =20
traffic from mom_bank.com to evil.com?

How can she detect this?


The bank signs their zone and mum's machine validates the answers
it gets from the ISP.  This is not rocket science.  This is not
beyond the capabilities of even the smallest client that mom would
use to talk to the bank.  This is how DNSSEC was designed to be
used.

Validating in the resolver protects the resolver itself and the
cache from pollution.  It also protects non DNSSEC aware clients
from upstream of the resolver threats.  It was always expected that
clients would validate answers themselves.

Mark

Eduardo.-

--=20
Eduardo A. Suarez
Facultad de Ciencias Astron=F3micas y Geof=EDsicas - UNLP
FCAG: (0221)-4236593 int. 172/Cel: (0221)-15-4557542/Casa: (0221)-4526589


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

Re: what if...?, (continued)
- - - Message not available
    - Re: what if...? Valdis . Kletnieks (Dec 20)
    - Re: what if...? Michael Sinatra (Dec 20)
- Re: what if...? Jared Mauch (Dec 20)
  - Re: what if...? Christian de Larrinaga (Dec 20)
    - Re: what if...? Seth Mattinen (Dec 20)
    - Message not available
    - Re: what if...? Seth Mattinen (Dec 20)
- Re: what if...? Marshall Eubanks (Dec 20)
  - Re: what if...? Jeroen van Aart (Dec 22)
    - Re: what if...? Steven Bellovin (Dec 22)
- Re: what if...? Ken Gilmour (Dec 20)
- Re: what if...? Mark Andrews (Dec 20)