[techsec-wg] Re: [dns-wg] What about the last mile, was: getting DNSSEC deployed

[David Conrad <]

On Feb 16, 2007, at 12:50 PM, Doug Barton wrote:
> David Conrad wrote:
> > >     NEW ATTACK TECHNIQUE THREATENS BROADBAND USERS
> > ...
> > > As noted, dnssec can protect against spoofed dns info.
> > Except DNSSEC wouldn't really be applicable.
> It would apply in the (theoretical) subset of applications that are
> configured to rely on signed and validated responses, like hopefully
> windows/osx/mozilla/other software updaters could be configured to do.
The question is how do they get the information that the data has  
been signed and the signatures validated.  Since with this attack  
they'd be going through a compromised server, they lose.  The only  
way out of that hole is if you run a local validating caching server  
and have appropriate (out-of-band validated) trust anchors configured  
and if you're running a local caching server, you're already not  
susceptible to the attack.

Rgds,
-drc