[dns-operations] summary of recent vulnerabilities in DNS security.

Vernon Schryver vjs at rhyolite.com
Mon Oct 21 22:06:23 UTC 2013


> From: Warren Kumari <warren at kumari.net>

> >> I suspect they're more interested in getting "registry lock" in place rather than DNSSEC.

> >> Most of the attacks against Google have involved changing the name servers completely .. 
> > 
> > 	Through social engineering and sometimes through directed attacks, yes.
>
> Sadly yes. 

I trust we all agree that cache attacks with non-random ports,
fragmentation, or padding are irrelevant except perhaps indirectly
through the general (lack of) value of DNSSEC that I claim better
prevents cache attacks than random ports.

Wouldn't DNSSEC have not made things worse and possibly made them
better by:
  - making the social engineering more difficult by forcing the bad
      guys to change key as well as NS RRs
  - possibly making the bogus records fail to validate for a while
     at the start of the attack, thanks what might look like an
     unplanned KSK change.
  - possibly making the bogus records fail to validate sooner and so
     get ignored sooner after the registrar records are restored, again
     thanks to what might look like an unplanned KSK change.


Vernon Schryver    vjs at rhyolite.com



More information about the dns-operations mailing list