[78961] in North American Network Operators' Group
Re: DNS cache poisoning attacks -- are they real?
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Sat Mar 26 23:41:58 2005
Date: Sun, 27 Mar 2005 04:41:24 +0000 (GMT)
From: "Christopher L. Morrow" <christopher.morrow@mci.com>
In-reply-to: <43cbd7e7fdd90b2c3bf9b2ed7b10b69c@isc.org>
To: Joe Abley <jabley@isc.org>
Cc: Sean Donelan <sean@donelan.com>,
Florian Weimer <fw@deneb.enyo.de>, nanog@merit.edu
Errors-To: owner-nanog@merit.edu
On Sat, 26 Mar 2005, Joe Abley wrote:
>
>
> Le 26 mars 2005, =E0 17:52, Sean Donelan a =E9crit :
>
> > You forgot the most important requirement, you have to be using
> > insecure, unpatched DNS code (old versions of BIND, old versions of
> > Windows, etc). If you use modern DNS code and which only follows
> > trustworthy pointers from the root down, you won't get hooked by
> > this.
>
> The obvious rejoinder to this is that there are no trustworthy pointers
> from the root down (and no way to tell if the root you are talking to
> contains genuine data) unless all the zones from the root down are
> signed with signatures you can verify and there's a chain of trust to
> accompany each delegation.
>
> If you don't have cryptographic signatures in the mix somewhere, it all
> boils down to trusting IP addresses.
where was www.makelovenotspam.com re-pointed to and 'hacked' again?? I
forget... 'trust of the ip address' :(
