[dns-operations] Massive DNS poisoning attacks in Brazil

Paul Wouters paul at cypherpunks.ca
Wed Oct 3 00:55:12 UTC 2012

On Tue, 2 Oct 2012, Andrew Sullivan wrote:

> I don't think this is the problem at all.  The problem is that even if
> you can get that out at the end point (and I can, using DNSSEC
> Trigger),

Andrew, please have a drink at Second Cup next week when you're at
ICANN. In fact, I'll buy it, you use the wifi to browse around :)

The resolvers are broken for dnssec, other port 53 is blocked. You're
on TCP only. You will see many timeouts and failures and trust me you
will enable "insecure" within 5 minutes.

> it does you no good because your application _can't tell_
> what happened.  If I'm a web browser programmer, I want to be able to
> know whether the DNSSEC validation worked before I start using the
> TLSA record.

Why? Are you going to ignore the TLSA record only when DNSSEC fails? In
which case, an attacker will just trigger that.

DNSSEC has to always come in, via port 53, port 80, or via x509 blobs.


More information about the dns-operations mailing list