[dns-operations] summary of recent vulnerabilities in DNS security.
Vernon Schryver
vjs at rhyolite.com
Mon Oct 21 22:06:23 UTC 2013
> From: Warren Kumari <warren at kumari.net>
> >> I suspect they're more interested in getting "registry lock" in place rather than DNSSEC.
> >> Most of the attacks against Google have involved changing the name servers completely ..
> >
> > Through social engineering and sometimes through directed attacks, yes.
>
> Sadly yes.
I trust we all agree that cache attacks with non-random ports,
fragmentation, or padding are irrelevant except perhaps indirectly
through the general (lack of) value of DNSSEC that I claim better
prevents cache attacks than random ports.
Wouldn't DNSSEC have not made things worse and possibly made them
better by:
- making the social engineering more difficult by forcing the bad
guys to change key as well as NS RRs
- possibly making the bogus records fail to validate for a while
at the start of the attack, thanks what might look like an
unplanned KSK change.
- possibly making the bogus records fail to validate sooner and so
get ignored sooner after the registrar records are restored, again
thanks to what might look like an unplanned KSK change.
Vernon Schryver vjs at rhyolite.com
More information about the dns-operations
mailing list