This is a discussion on Re: How do we get the whole world to upgrade to DNSSEC capable resolvers? - DNS ; On Fri, Jul 25, 2008 at 12:24:09PM -0700, David Conrad wrote: > Joe, > > On Jul 25, 2008, at 10:03 AM, Joe Abley wrote: > >I think that's wrong. I think that once someone is in the position > ...
On Fri, Jul 25, 2008 at 12:24:09PM -0700, David Conrad wrote:
> Joe,
>
> On Jul 25, 2008, at 10:03 AM, Joe Abley wrote:
> >I think that's wrong. I think that once someone is in the position
> >of being able to meddle with the query/response stream, all bets are
> >off and DNSSEC is no cure.
>
> The whole point of DNSSEC is to allow for the validation of responses
> by a validator to ensure they haven't been mucked with in transit.
> The most that an attacker, anywhere in a properly configured DNSSEC-
> protected query/response path, can do is denial of service.
so, it does not matter where the data comes from, as long
as the "wrapper" is intact.
> Once the response leaves the validator on its way to the application,
> either via the response to an unprotected stub resolver call over the
> network or via a intra-machine IPC, it can, of course be mucked with.
> This is why I believe that if people want to be safe, they need to run
> a validating caching server on their local machine (if the intra-
> machine IPC can be compromised, you've got bigger problems).
you are not alone in this belief.
> But maybe I'm lacking context here...
this is no doubt true for many of us.
> Regards,
> -drc
--bill
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive:
