This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] What about the last mile, was: getting DNSSEC deployed
- Previous message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
- Next message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Doug Barton
dougb at dougbarton.us
Fri Feb 16 21:50:07 CET 2007
David Conrad wrote: >> NEW ATTACK TECHNIQUE THREATENS BROADBAND USERS > ... >> As noted, dnssec can protect against spoofed dns info. > > Except DNSSEC wouldn't really be applicable. > > The attack (as I understand it) provides a new IP address (that of an > attacker-owned caching resolver) to clients on a LAN attached to the > broadband router, with the attacker-owned caching resolver returning > answers to stub resolver queries. Since validation is done at the > caching resolver, DNSSEC wouldn't apply. It would apply in the (theoretical) subset of applications that are configured to rely on signed and validated responses, like hopefully windows/osx/mozilla/other software updaters could be configured to do. It could also apply to an even more theoretical future browser feature that uses a mechanism similar to the shiny gold SSL padlock icon to indicate a signed and validated response, but the value of that would be limited to the subset of users who wouldn't just click "go to the site anyway" like they do with SSL warnings now. Doug -- If you're never wrong, you're not trying hard enough
- Previous message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
- Next message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]