[dns-operations] Massive DNS poisoning attacks in Brazil

Andrew Sullivan ajs at anvilwalrusden.com
Wed Oct 3 01:18:32 UTC 2012

On Tue, Oct 02, 2012 at 08:55:12PM -0400, Paul Wouters wrote:

> The resolvers are broken for dnssec, other port 53 is blocked. You're
> on TCP only. You will see many timeouts and failures and trust me you
> will enable "insecure" within 5 minutes.

Yep, I know.  But my point (which I apparently stated so badly that it
was impossible to understand) is that it _doesn't matter_ if you can
get DNSSEC out at the edge, if the application can't tell.

> >know whether the DNSSEC validation worked before I start using the
> >TLSA record.
> Why? Are you going to ignore the TLSA record only when DNSSEC fails? In
> which case, an attacker will just trigger that.

No.  Rather, if I'm going to consume the TLSA record, I need some sort
of confidence that the record was obtained securely.  


Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list