This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-operations] [dns-wg] "DNS Vulnerabilities" paper hits the mainstream
- Previous message (by thread): [dns-operations] [dns-wg] "DNS Vulnerabilities" paper hits the mainstream
- Next message (by thread): [dns-wg] Re: [dns-operations] "DNS Vulnerabilities" paper hits the mainstream
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jim Reid
jim at rfc1035.com
Mon May 1 03:00:10 CEST 2006
On May 1, 2006, at 01:15, Bill Larson wrote: > How can the "security of the DNS system" be considered as any > better than > the security of the parent servers? Because the parent is not usually authoritative for its children. Sure, the parent could insert bogus delegation info: a fake glue or NS record. But this is little different from a slave server for the child that tells lies about the zone. If anything, a lying slave is probably much worse because the cache poisoning heuristics in a decent implementation will give more credence to what an authoritative child has to say than a non-authoritative parent. > Using an example from the paper. If the FBI has a delegated server > that can be easily hijacked, then this would mean that a significant > number of queries for information in the "fbi.gov" domain could be > subverted with invalid info. This is a security issue and it is > not an > issue under the direct control of the FBI (except for their > decision to > base their operation on a third party service). One would hope that if someone outsources DNS service to a third party, that will be subject to a contract which includes performance levels, problem escalation, response to security incidents as well as criminal or civil penalties for non-compliance. I'd get those safeguards buying a cup of coffee, so why not when buying DNS service? > Isn't this the same type of security issue evaluated with COPS? I don't think so.
- Previous message (by thread): [dns-operations] [dns-wg] "DNS Vulnerabilities" paper hits the mainstream
- Next message (by thread): [dns-wg] Re: [dns-operations] "DNS Vulnerabilities" paper hits the mainstream
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]