nanog mailing list archives
Re: DNS cache poisoning attacks -- are they real?
From: Sean Donelan <sean () donelan com>
Date: Sat, 26 Mar 2005 20:15:40 -0500 (EST)
On Sat, 26 Mar 2005, Joe Abley wrote:
The obvious rejoinder to this is that there are no trustworthy pointers from the root down (and no way to tell if the root you are talking to contains genuine data) unless all the zones from the root down are signed with signatures you can verify and there's a chain of trust to accompany each delegation. If you don't have cryptographic signatures in the mix somewhere, it all boils down to trusting IP addresses.
Signatures don't create trust. A signature can only confirm an existing trust relationship. DNSSEC would have the same problem, where do you get the trustworthing signatures? By connecting to the same root you don't trust? As a practical matter, you can stop 99% of the problems with a lot less effort. Why has SSH been so successful, and DNSSEC stumbled so badly? Always initiate the call yourself. Always check the nonce in the answer. Never accept unsolicited data. Never accept answers to questions you didn't ask. Besides, if you don't trust IP addresses even if the entire DNS tree was signed by trustworthy keys I'd just hijack the IP address in the DNS answer anyway. Quarantine NAT is very good at this.
Current thread:
- DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Alex Bligh (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Sean Donelan (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Sean Donelan (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Jeff Kell (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Joe Abley (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Sean Donelan (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Joe Abley (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Niels Bakker (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Florian Weimer (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Edward Lewis (Mar 28)
- Re: DNS cache poisoning attacks -- are they real? Christopher L. Morrow (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Alex Bligh (Mar 26)
- Re: DNS cache poisoning attacks -- are they real? Suresh Ramasubramanian (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Joe Maimon (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Randy Bush (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? Christopher L. Morrow (Mar 27)
- Re: DNS cache poisoning attacks -- are they real? John Payne (Mar 28)