[dns-operations] Massive DNS poisoning attacks in Brazil

Tony Finch dot at dotat.at
Wed Oct 3 14:06:23 UTC 2012


Vernon Schryver <vjs at rhyolite.com> wrote:
> Tony Finch <dot at dotat.at> wrote:
> > Paul Vixie <paul at redbarn.org> wrote:
> > >
> > > in <http://www.ietf.org/mail-archive/web/dnsext/current/msg11700.html> i
> > > was thinking that we'd add "send chain" as an edns option, and then add
>
> > I like this plan.
>
> All of those DNS tunneling, triggering, alternate port, and other
> varient protocol schemes for dealing with hotels and public access
> points attacks on DNS are either unnecessary in the long run or depend
> on practically no one ever using them.

You are right about dicking around with port numbers and TLS or HTTP
framing. However the "send chain" EDNS option would be a widely useful
operation for validating stubs.

A stub validator could perhaps send DS and DNSKEY queries for all the
truncated versions of the name between the target name and the root, which
it would have to do concurrently to avoid latency pain, but then it will
have to iterate this to deal with CNAME and/or DNAME chains. The recursor
has already done all the work so it would be nice to get all the results
back in one go.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.



More information about the dns-operations mailing list