[100702] in North American Network Operators' Group
Re: Hey, SiteFinder is back, again...
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Mon Nov 5 14:57:32 2007
Date: Mon, 5 Nov 2007 19:54:47 +0000
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: David Conrad <drc@virtualized.org>
Cc: wb8foz@nrk.com, nanog@merit.edu (nanog list)
In-Reply-To: <E64EBBA5-3520-4E6A-9F00-6A884C383FE7@virtualized.org>
Errors-To: owner-nanog@merit.edu
On Mon, 5 Nov 2007 11:17:29 -0800
David Conrad <drc@virtualized.org> wrote:
> On Nov 5, 2007, at 8:23 AM, David Lesher wrote:
> > What affect will Allegedly Secure DNS have on such provider
> > hijackings, both of DNS and crammed-in content?
>
> If what Verizon is doing is rewriting NXDOMAIN at their caching
> servers, DNSSEC will _not_ help. Caching servers do the validation
> and the insertion of the search engine IP addresses in the response
> would occur after the validation.
>
Depends on whether or not the endpoints delegate DNSSEC validation to
Verizon. They don't have to.
--Steve Bellovin, http://www.cs.columbia.edu/~smb