This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[techsec-wg] Re: [dns-wg] What about the last mile, was: getting DNSSEC deployed
- Previous message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
- Next message (by thread): [dns-wg] Re: What about the last mile, was: getting DNSSEC deployed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Wilfried Woeber, UniVie/ACOnet
Woeber at CC.UniVie.ac.at
Mon Feb 19 11:05:59 CET 2007
David Conrad wrote: >> NEW ATTACK TECHNIQUE THREATENS BROADBAND USERS > > ... > >> As noted, dnssec can protect against spoofed dns info. > > > Except DNSSEC wouldn't really be applicable. I know, it would be sloppy use of terms, but when I read the thread I "included" TSIG under the DNSSEC item. That could help, unless the shared secret gets easily compromised, too, and it probably would, assuming that java* or active* is enabled ;-) > The attack (as I understand it) provides a new IP address (that of an > attacker-owned caching resolver) to clients on a LAN attached to the > broadband router, with the attacker-owned caching resolver returning > answers to stub resolver queries. Since validation is done at the > caching resolver, DNSSEC wouldn't apply. > > Rgds, > -drc Wilfried.
- Previous message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
- Next message (by thread): [dns-wg] Re: What about the last mile, was: getting DNSSEC deployed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]