Re: DNS cache poisoning attacks -- are they real?

[Florian Weimer <fw () deneb enyo de>]

* Alex Bligh:

> --On 26 March 2005 23:23 +0100 Florian Weimer <fw () deneb enyo de> wrote:
>
> > Should we monitor for evidence of hijacks (unofficial NS and SOA
> > records are good indicators)?  Should we actively scan for
> > authoritative name servers which return unofficial data?
>
> And what if you find them?

If leaking unofficial data were considered a capital offense (in
Internet terms), many ISPs would take action.  Apparently, it's not,
so detection is pretty much pointless.

> The only way you are going to prevent packet level (as opposed to
> organization level) DNS hijack is get DNSSEC deployed.

DNS cache poisoning (at least in the form which prompted me to start
this thread) is a quality-of-implementation issue.  DNSSEC will not
magically increase code quality (but it will definitely increase
complexity), that's why I don't share the enthusiasm of the DNSSEC
crowed. 8->