[techsec-wg] Re: [dns-wg] What about the last mile, was: getting DNSSEC deployed
David Conrad david.conrad at icann.org
Fri Feb 16 17:51:13 CET 2007
> NEW ATTACK TECHNIQUE THREATENS BROADBAND USERS ... > As noted, dnssec can protect against spoofed dns info. Except DNSSEC wouldn't really be applicable. The attack (as I understand it) provides a new IP address (that of an attacker-owned caching resolver) to clients on a LAN attached to the broadband router, with the attacker-owned caching resolver returning answers to stub resolver queries. Since validation is done at the caching resolver, DNSSEC wouldn't apply. Rgds, -drc