[78955] in North American Network Operators' Group
Re: DNS cache poisoning attacks -- are they real?
daemon@ATHENA.MIT.EDU (Joe Abley)
Sat Mar 26 19:33:41 2005
In-Reply-To: <Pine.GSO.4.58.0503261733230.24905@clifden.donelan.com>
Cc: Florian Weimer <fw@deneb.enyo.de>, nanog@merit.edu
From: Joe Abley <jabley@isc.org>
Date: Sat, 26 Mar 2005 19:32:18 -0500
To: Sean Donelan <sean@donelan.com>
Errors-To: owner-nanog@merit.edu
Le 26 mars 2005, =E0 17:52, Sean Donelan a =E9crit :
> You forgot the most important requirement, you have to be using
> insecure, unpatched DNS code (old versions of BIND, old versions of
> Windows, etc). If you use modern DNS code and which only follows
> trustworthy pointers from the root down, you won't get hooked by
> this.
The obvious rejoinder to this is that there are no trustworthy pointers=20=
from the root down (and no way to tell if the root you are talking to=20
contains genuine data) unless all the zones from the root down are=20
signed with signatures you can verify and there's a chain of trust to=20
accompany each delegation.
If you don't have cryptographic signatures in the mix somewhere, it all=20=
boils down to trusting IP addresses.
Joe=