funsec mailing list archives
Re: "The ISC is the Microsoft of the DNS, BIND its Windows, ..."
From: "Tomas L. Byrnes" <tomb () byrneit net>
Date: Sat, 21 Aug 2010 23:30:59 -0700
-----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Valdis.Kletnieks () vt edu Sent: Friday, August 06, 2010 12:54 PM To: noloader () gmail com Cc: funsec () linuxbox org Subject: Re: [funsec] "The ISC is the Microsoft of the DNS, BIND its Windows,..." On Fri, 06 Aug 2010 15:30:10 EDT, Jeffrey Walton said:request. Under this scheme, the distributed, fault tolerant nature
of
DNS will be nullified. That is, a government only needs to poison
the
database of one cooperating operator, and other cooperating dns operators will dutifully incorporate the changes. To make matters worse, the poisoning will cross national/political boundaries - something governments don't fully enjoy under the current system.Oddly enough, BGP has exactly the same problem.
[Tomas L. Byrnes] Actually the DNS has less of a problem than BGP. Given that there is a concept of ownership and hierarchy of delegation in DNS, you can't just inject false information about a given zone at any node in the DNS and have it propagate. You have to do it at some part of the resolver chain, and you can only affect those resolvers downstream of the chain. If the hysteria about RPZ were true, then pretty much anyone with a DNS server could already hijack anyone else's domain, and that is just not the case. Even large ISPs can't enforce their own NXDOMAIN redirects, as users circumvent them with their own nameservers. If you want to RPZ (or just plain redirect) foo.com, you can either only do so for all resolvers and forwarders that chain to your nameservers, or you have to actually get (all) the com root-servers to incorporate your RPZ. To use BGP, all you have to do is get some widely peered ISP to send a more specific route than the current one, as happened when Pakistan hosed Youtube. RPZ is not a bogeyman, since it doesn't actually do anything the US gov couldn't already make ATT.net and others already do, using CNAME or DNAME. It is useful, for those who are sick and tired of playing whack-a-mole with "Marko" and his friends. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- "The ISC is the Microsoft of the DNS, BIND its Windows, ..." Paul Vixie (Aug 05)
- Re: "The ISC is the Microsoft of the DNS, BIND its Windows, ..." Paul Ferguson (Aug 05)
- Re: "The ISC is the Microsoft of the DNS, BIND its Windows, ..." freed0 (Aug 06)
- Re: "The ISC is the Microsoft of the DNS, BIND its Windows, ..." Valdis . Kletnieks (Aug 06)
- Re: "The ISC is the Microsoft of the DNS, BIND its Windows, ..." Jeffrey Walton (Aug 06)
- Re: "The ISC is the Microsoft of the DNS, BIND its Windows, ..." Dan Kaminsky (Aug 06)
- Re: "The ISC is the Microsoft of the DNS, BIND its Windows, ..." Jeffrey Walton (Aug 06)
- Re: "The ISC is the Microsoft of the DNS, BIND its Windows, ..." Valdis . Kletnieks (Aug 06)
- Re: "The ISC is the Microsoft of the DNS, BIND its Windows, ..." Paul Ferguson (Aug 06)
- Re: "The ISC is the Microsoft of the DNS, BIND its Windows, ..." Tomas L. Byrnes (Aug 21)
- Re: "The ISC is the Microsoft of the DNS, BIND its Windows, ..." Dan Kaminsky (Aug 06)
- Re: "The ISC is the Microsoft of the DNS, BIND its Windows, ..." Paul Vixie (Aug 06)
- Re: "The ISC is the Microsoft of the DNS, BIND its Windows, ..." der Mouse (Aug 06)