[dns-operations] Massive DNS poisoning attacks in Brazil

Paul Vixie paul at redbarn.org
Tue Oct 2 20:07:09 UTC 2012


On 2012-10-02 8:01 PM, Roy Arends wrote:
> dnssec-trigger is your friend.

i looked at <http://www.nlnetlabs.nl/projects/dnssec-trigger/>. it says:

> Dnssec-trigger reconfigures the local unbound DNS server. This unbound
> DNS server performs DNSSEC validation, but dnssec-trigger will signal
> it to to use the DHCP obtained forwarders if possible, and fallback to
> doing its own AUTH queries if that fails, and if that fails prompt the
> user via dnssec-trigger-applet the option to go with insecure DNS only. 

and:

> One of the last resorts of dnssec-trigger is to use SSL port 443 for
> DNSSEC. If that fails, it is unlikely that DANE (https, also SSL port
> 443) can work. Thus, logically, this service is very likely to provide
> DNSSEC when DANE must have it. 

has the ssl format been submitted as an internet-draft, or is this a
"private standard"?

(if we're expecting tablets, cell phones, and factory fresh osx and
windows to do this, it has to be the former.)




More information about the dns-operations mailing list