[dns-operations] Massive DNS poisoning attacks in Brazil
Andrew Sullivan
ajs at anvilwalrusden.com
Wed Oct 3 01:18:32 UTC 2012
On Tue, Oct 02, 2012 at 08:55:12PM -0400, Paul Wouters wrote:
> The resolvers are broken for dnssec, other port 53 is blocked. You're
> on TCP only. You will see many timeouts and failures and trust me you
> will enable "insecure" within 5 minutes.
Yep, I know. But my point (which I apparently stated so badly that it
was impossible to understand) is that it _doesn't matter_ if you can
get DNSSEC out at the edge, if the application can't tell.
> >know whether the DNSSEC validation worked before I start using the
> >TLSA record.
>
> Why? Are you going to ignore the TLSA record only when DNSSEC fails? In
> which case, an attacker will just trigger that.
No. Rather, if I'm going to consume the TLSA record, I need some sort
of confidence that the record was obtained securely.
A
--
Andrew Sullivan
ajs at anvilwalrusden.com
More information about the dns-operations
mailing list