[dns-operations] Massive DNS poisoning attacks in Brazil

Paul Vixie paul at redbarn.org
Tue Oct 2 19:54:04 UTC 2012

On 2012-10-02 7:48 PM, Warren Kumari wrote:
> DNSSEC on the *host / stub* would have though.

this doesn't work at the moment, even when there's code on the stub that
supports it, which is rare and experimental. i occasionally turn on a
recursive name server on my laptop, but it's very rare that udp/53 is
allowed through a wireless gateway in a hotel or coffee shop, and when
it is, edns usually triggers an immune response because the gateway
"knows" that additional data sections of queries are empty. when this
doesn't fail, the multipacket response is damaged by dropping all
fragments after the first one.

if ietf hadn't declared the dns protocol finished, and were not even now
working to close up the dnsext working group, i'd propose that we
develop a standard for carrying edns over tcp/80 and/or tcp/443, which
is for most mobile users what "the internet" consists of.

i'm not sure how we expect DANE to make any difference when we don't
have working last mile DNSSEC.


More information about the dns-operations mailing list