[dns-operations] DNS trust dependencies for ICANN TLDs
Florian Weimer
fw at deneb.enyo.de
Thu Jun 11 14:23:19 UTC 2009
* Francis Dupont:
> In your previous mail you wrote:
>
> I've assembled a collection of graphs of zone and name server trust
> dependencies for each ICANN TLD at
>
> http://shinobi.dempsky.org/~matthew/dnstrust/graphs/
>
> => BTW do you know an authoritative server and a caching server are
> very different beasts? So cache poisoning is *only* about caching
> servers and does nothing to an authoritative server...
He specifically stated that he assumes he's got full control over an
authoritative server. It's a different form of attack. I haven't
tried it, but I suspect it will work (but perhaps not against very
busy resolvers).
(Some forms of glue hardening should help here a bit, too, by the
way.)
More information about the dns-operations
mailing list