[100708] in North American Network Operators' Group
Re: Hey, SiteFinder is back, again...
daemon@ATHENA.MIT.EDU (Mark Andrews)
Mon Nov 5 20:33:49 2007
Date: Tue, 6 Nov 2007 12:31:28 +1100 (EST)
From: Mark Andrews <Mark_Andrews@isc.org>
To: nanog@merit.edu
In-Reply-To: <E64EBBA5-3520-4E6A-9F00-6A884C383FE7@virtualized.org>
Errors-To: owner-nanog@merit.edu
In article <E64EBBA5-3520-4E6A-9F00-6A884C383FE7@virtualized.org> you write:
>
>On Nov 5, 2007, at 8:23 AM, David Lesher wrote:
>> What affect will Allegedly Secure DNS have on such provider
>> hijackings, both of DNS and crammed-in content?
>
>If what Verizon is doing is rewriting NXDOMAIN at their caching
>servers, DNSSEC will _not_ help. Caching servers do the validation
>and the insertion of the search engine IP addresses in the response
>would occur after the validation.
>
>Regards,
>-drc
>
All you have to do is move the validation to a machine you
control to detect this garbage.
dnssec-enable yes;
dnssec-validation yes;
forward only;
forwarders { <Verizon's caching servers>; };
dnssec-lookaside . trust-anchor <dlv registry>;
All lookups which Verizon has interfered with from signed zones
will fail.
Mark