[dns-operations] Massive DNS poisoning attacks in Brazil

Vernon Schryver vjs at rhyolite.com
Wed Oct 3 15:21:05 UTC 2012

> From: Tony Finch <dot at dotat.at>

> You are right about dicking around with port numbers and TLS or HTTP
> framing. However the "send chain" EDNS option would be a widely useful
> operation for validating stubs.
> A stub validator could perhaps send DS and DNSKEY queries for all the
> truncated versions of the name between the target name and the root, which
> it would have to do concurrently to avoid latency pain, but then it will
> have to iterate this to deal with CNAME and/or DNAME chains. The recursor
> has already done all the work so it would be nice to get all the results
> back in one go.

That's a good point, except I can only go with "somewhat useful".

On http://www.cnn.com/ just now I see only www.cnn.com, i.cdn.turner.com,
i2.cdn.turner.com among about 33 images and icons.
Getting the DNSSEC chains for those half dozen DNS names (I probably
missed some and I disable most javascript) would save only a trivial
few round trips for a stub with a cache given the round trips to
fetch those images (and javascript).
Besides, the saved round trips would be to the nearby trusted server 
that should be answering within 50 millseconds and closer and faster
than the CDN box serving the content,
not to mention web sites not served by the CDN box.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list