[dns-operations] Trend/ISC DNS Changer takedown.

Paul Vixie paul at redbarn.org
Fri Nov 11 11:34:27 UTC 2011

> Any malware that intercepts "at a very low level" to redirect DNS queries
can safely be assumed to bring the ability to change trust anchor
information at the same time.

Many of the victims of DNS Changer were CPE devices (home routers). And in
Brazil the ISP's own RDNS was subverted. Stub validation could be attacked
if OS-level trust anchors overwritten by low level malware, yes. But I
predict that some DNSSEC-aware applications will carry their own trust
anchors and do their own RFC 5011 tracking of the root trust anchor. Nothing
lasts for ever or is perfect, but I like the risk profile better for "stubs
and apps do their own validation" than for "stubs trust their RDNS

More information about the dns-operations mailing list