On Wed, 17 Feb 2010, Phillip Hallam-Baker wrote:
One of the big fallacies of DNSSEC is the idea that providing clients access to the unfiltered authoritative DNS source is the same as securing the DNS. That was the case when DNSSEC was designed, today most endpoints would prefer to opt to connect to some sort of filtered DNS with malware and crimeware sites removed.
"most"? That's quite the claim. If so, then opendns and friends would be much busier rewriting our DNS packets.
The biggest DNS security vulnerability is in the information that is input to the DNS publication service. Most hijacking schemes have been due to attacks on registrars.
I thought the most used hijacking schemes used dancing hamsters or nude Britney Spears promises to install a new version of SYSTEM32\etc\hosts. In fact, it was so bad that Microsoft even hardcoded their own update servers IP's in their own DLL's. I have only heard of 2 or 3 attacks via registrar accounts. I've heard of many more compromised caches and hosts files. But I look forward to your substantiation that "most" of us prefer our DNS to be rewritten for security and saving us from typos by redirecting us to advertisement servers (malicious or not) Paul _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf