[dns-operations] Massive DNS poisoning attacks in Brazil
Roy Arends
roy at dnss.ec
Tue Oct 2 20:01:14 UTC 2012
dnssec-trigger is your friend.
Roy
Sent from my iPhone
On 2 Oct 2012, at 20:54, Paul Vixie <paul at redbarn.org> wrote:
> On 2012-10-02 7:48 PM, Warren Kumari wrote:
>> DNSSEC on the *host / stub* would have though.
>
> this doesn't work at the moment, even when there's code on the stub that
> supports it, which is rare and experimental. i occasionally turn on a
> recursive name server on my laptop, but it's very rare that udp/53 is
> allowed through a wireless gateway in a hotel or coffee shop, and when
> it is, edns usually triggers an immune response because the gateway
> "knows" that additional data sections of queries are empty. when this
> doesn't fail, the multipacket response is damaged by dropping all
> fragments after the first one.
>
> if ietf hadn't declared the dns protocol finished, and were not even now
> working to close up the dnsext working group, i'd propose that we
> develop a standard for carrying edns over tcp/80 and/or tcp/443, which
> is for most mobile users what "the internet" consists of.
>
> i'm not sure how we expect DANE to make any difference when we don't
> have working last mile DNSSEC.
>
> paul
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
More information about the dns-operations
mailing list