Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS cache poisoning attacks -- are they real?

  • From: Sean Donelan
  • Date: Sat Mar 26 20:19:44 2005

On Sat, 26 Mar 2005, Joe Abley wrote:
> The obvious rejoinder to this is that there are no trustworthy pointers
> from the root down (and no way to tell if the root you are talking to
> contains genuine data) unless all the zones from the root down are
> signed with signatures you can verify and there's a chain of trust to
> accompany each delegation.
>
> If you don't have cryptographic signatures in the mix somewhere, it all
> boils down to trusting IP addresses.

Signatures don't create trust.  A signature can only confirm an existing
trust relationship.  DNSSEC would have the same problem, where do you get
the trustworthing signatures?  By connecting to the same root you don't
trust?

As a practical matter, you can stop 99% of the problems with a lot less
effort.  Why has SSH been so successful, and DNSSEC stumbled so badly?

Always initiate the call yourself. Always check the nonce in the
answer. Never accept unsolicited data. Never accept answers to questions
you didn't ask.

Besides, if you don't trust IP addresses even if the entire DNS tree
was signed by trustworthy keys I'd just hijack the IP address in the DNS
answer anyway.  Quarantine NAT is very good at this.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.