[132383] in North American Network Operators' Group
Re: Blocking International DNS
daemon@ATHENA.MIT.EDU (Joe Abley)
Mon Nov 22 10:48:45 2010
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <201011221543.oAMFhM7E003376@aurora.sol.net>
Date: Mon, 22 Nov 2010 10:48:10 -0500
To: Joe Greco <jgreco@ns.sol.net>
X-SA-Exim-Mail-From: jabley@hopcount.ca
Cc: Jeffrey Lyon <jeffrey.lyon@blacklotus.net>,
"nanog@nanog.org" <nanog@nanog.org>, "Jeffrey S. Young" <young@jsyoung.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2010-11-22, at 10:43, Joe Greco wrote:
> It's funny, isn't it, didn't we just finish convincing the government
> of the need for DNSSEC, making the DNS system more resistant to some
> forms of tampering?
I guess if the manner of the interception was to send back SERVFAIL to =
DNS clients whose queries were (in some sense) objectionable, the result =
would be that the clients were not able to resolve the (in some sense) =
bad names. This would in effect be a selective denial of service attack =
to DNS clients.
DNSSEC provides no integrity protection over that type of interference =
-- you need to get an answer for the answer to have a signature, and =
without a signature there's nothing to check.
Joe
