[techsec-wg] Re: [dns-wg] What about the last mile, was: getting DNSSEC deployed
Wilfried Woeber, UniVie/ACOnet Woeber at CC.UniVie.ac.at
Mon Feb 19 11:05:59 CET 2007
David Conrad wrote: >> NEW ATTACK TECHNIQUE THREATENS BROADBAND USERS > > ... > >> As noted, dnssec can protect against spoofed dns info. > > > Except DNSSEC wouldn't really be applicable. I know, it would be sloppy use of terms, but when I read the thread I "included" TSIG under the DNSSEC item. That could help, unless the shared secret gets easily compromised, too, and it probably would, assuming that java* or active* is enabled ;-) > The attack (as I understand it) provides a new IP address (that of an > attacker-owned caching resolver) to clients on a LAN attached to the > broadband router, with the attacker-owned caching resolver returning > answers to stub resolver queries. Since validation is done at the > caching resolver, DNSSEC wouldn't apply. > > Rgds, > -drc Wilfried.