[166728] in North American Network Operators' Group
Re: DNS and nxdomain hijacking
daemon@ATHENA.MIT.EDU (Mark Andrews)
Tue Nov 5 23:01:45 2013
To: Andrew Sullivan <asullivan@dyn.com>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Tue, 05 Nov 2013 22:30:05 -0500."
<20131106033003.GB6728@dyn.com>
Date: Wed, 06 Nov 2013 15:01:00 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <20131106033003.GB6728@dyn.com>, Andrew Sullivan writes:
> On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote:
> >
> > I think every major residential ISP in the US has been doing this for 5+
> > years now.
>
> Comcast doesn't, because it breaks DNSSEC.
Only if you are validating.
BIND suppports DNSSEC aware NXDOMAIN redirection. If the NXDOMAIN
response is verifiable and you set DO=1 on the query the redirection
will not occur.
Similar logic is implemented in DNS64 support.
> A
>
> --
> Andrew Sullivan
> Dyn, Inc.
> asullivan@dyn.com
> v: +1 603 663 0448
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
