[dns-operations] summary of recent vulnerabilities in DNS security.

Vernon Schryver vjs at rhyolite.com
Sat Oct 19 16:37:10 UTC 2013

> From: Haya Shulman <haya.shulman at gmail.com>

> IMHO, DNSSEC is simply the natural defense against the attacks, which
> is why I did not explicitly mention it, but I definitely had it in
> mind :-)

In that case, on what should an organization spend time or money
first, on DNSSEC or the recommendations in the mail message?  Would
it be better if each of the recommendations in the mail message
started with something like this?

    Deploy DNSSEC, and consider the follow to help protect cached
    data not yet protected with DNSSEC.

> Regarding the proxy-behind-upstream: to prevent the attacks DNSSEC has
> to be deployed(and validated) on the proxy. Currently it seems that
> there are proxies that signal support of DNSSEC (via the DO bit), but
> do not validate responses, and validation is typically performed by
> the upstream forwarder.

That sounds like a more significant bug than port obscurity or
randomization.  If it is a bug, which should be addressed first in
that software or those installations, this DNSSEC bug or the
recommendations in the mail message?  It it is a significant DNSSEC
bug, it would be good if a future version of the mail message
mentioned it.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list