Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS cache poisoning attacks -- are they real?

  • From: Joe Abley
  • Date: Sat Mar 26 19:35:06 2005


Le 26 mars 2005, à 17:52, Sean Donelan a écrit :

You forgot the most important requirement, you have to be using
insecure, unpatched DNS code (old versions of BIND, old versions of
Windows, etc). If you use modern DNS code and which only follows
trustworthy pointers from the root down, you won't get hooked by
this.
The obvious rejoinder to this is that there are no trustworthy pointers from the root down (and no way to tell if the root you are talking to contains genuine data) unless all the zones from the root down are signed with signatures you can verify and there's a chain of trust to accompany each delegation.

If you don't have cryptographic signatures in the mix somewhere, it all boils down to trusting IP addresses.


Joe




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.