[100709] in North American Network Operators' Group
Re: Hey, SiteFinder is back, again...
daemon@ATHENA.MIT.EDU (David Conrad)
Mon Nov 5 21:18:45 2007
In-Reply-To: <200711060131.lA61VSJo000430@drugs.dv.isc.org>
Cc: nanog@merit.edu
From: David Conrad <drc@virtualized.org>
Date: Mon, 5 Nov 2007 18:16:58 -0800
To: Mark Andrews <Mark_Andrews@isc.org>
Errors-To: owner-nanog@merit.edu
Mark,
On Nov 5, 2007, at 5:31 PM, Mark Andrews wrote:
> All you have to do is move the validation to a machine you
> control to detect this garbage.
You probably don't need to bother with DNSSEC validation to stop the
Verizon redirection. All you need do is run a caching server.
> dnssec-enable yes;
> dnssec-validation yes;
> forward only;
> forwarders { <Verizon's caching servers>; };
Why bother forwarding?
> dnssec-lookaside . trust-anchor <dlv registry>;
You forgot the bit where everybody you want to do a DNS lookup on
signs (and maintains) their zones and trusts and registers with <dlv
registry> (of which there is exactly one that I know of and that one
has 17 entries in it the last I looked). You also didn't mention
that everyone doing this will reference the DLV registry on every non-
cached lookup. Puts a _lot_ of trust (both security wise and
operationally) in <dlv registry>...
> All lookups which Verizon has interfered with from signed zones
> will fail.
Yeah, and Verizon customers would get a timeout (after how long?)
instead of a more quickly returned A (or maybe a AAAA) RR to a
Verizon controlled search engine. Not really sure the cure is better
than the disease. Also not sure what the point is -- most common
typos are already squatted upon and validly registered to a adsense
pay-per-click web page, typically a search engine (e.g.,
www.baknofamerica.com). Seems to me the slimeballs have won yet
again...
Regards,
-drc
