Re: [ietf] DNS spoofing at captive portals

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi John,

On 09/26/2010 04:34 AM, John R. Levine wrote:
>>> But we have real situtations where the opposite is true,
>>> quite possibly more often than the other way around.
> 
> Not really.  There turn out to be a significant number of domains, in
> the hundreds of thousands at least, that are purely evil.  Some host

So, if DNSSEC is enabled with an end-host validator and the ISP cache
returns a different record for such a domain, the DNSSEC validator will
mark it as bogus and the user gets a serverfailure response.  The domain
cannot be accessed.  This is exactly right.

DNSSEC provides integrity checks, it does not synthesize the original
data out of thin air.  Thus, domains can be blocked.

> 
> As I said in a previous message, I am not a big fan of rewriting
> NXDOMAIN, and I was on one of ICANN's advisory committees and helped

Showing an advert then, does not work.  Of course, showing an advert on
someone elses domain name is not particularly nice.

So, an ISP can provide a DNSSEC-enabled cache (that can validate as
well), and can block malware, and end-users can use that cache, and run
their own validator to secure the path to the ISP cache.  So, an
end-user can run a validator that is still a 'stub' that connects to the
ISP cache.  This is much more efficient too as the ISP cache has all the
data (and DNSSEC signatures) in its cache.

A remaining stumbling block (well, once the ISP runs a DNSSEC cache), is
the cablemodem-thingy, but it turns out these can (very often) be
circumvented by providing the validating-stub on the end-users machine
with the direct IP-address(es) of the ISP cache.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkygTQYACgkQkDLqNwOhpPgbdACfbCRxW3Rii+MlFOUVeCl+HVRM
CJwAoLHbvFWyMSH+rf0wjuCcNR2jnz88
=JuT/
-----END PGP SIGNATURE-----
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]