> -----Original Message----- > From: funsec-boun...@linuxbox.org [mailto:funsec-boun...@linuxbox.org] > On Behalf Of valdis.kletni...@vt.edu > Sent: Friday, August 06, 2010 12:54 PM > To: noloa...@gmail.com > Cc: funsec@linuxbox.org > Subject: Re: [funsec] "The ISC is the Microsoft of the DNS, BIND its > Windows,..." > > On Fri, 06 Aug 2010 15:30:10 EDT, Jeffrey Walton said: > > request. Under this scheme, the distributed, fault tolerant nature of > > DNS will be nullified. That is, a government only needs to poison the > > database of one cooperating operator, and other cooperating dns > > operators will dutifully incorporate the changes. To make matters > > worse, the poisoning will cross national/political boundaries - > > something governments don't fully enjoy under the current system. > > Oddly enough, BGP has exactly the same problem. [Tomas L. Byrnes]
Actually the DNS has less of a problem than BGP. Given that there is a concept of ownership and hierarchy of delegation in DNS, you can't just inject false information about a given zone at any node in the DNS and have it propagate. You have to do it at some part of the resolver chain, and you can only affect those resolvers downstream of the chain. If the hysteria about RPZ were true, then pretty much anyone with a DNS server could already hijack anyone else's domain, and that is just not the case. Even large ISPs can't enforce their own NXDOMAIN redirects, as users circumvent them with their own nameservers. If you want to RPZ (or just plain redirect) foo.com, you can either only do so for all resolvers and forwarders that chain to your nameservers, or you have to actually get (all) the com root-servers to incorporate your RPZ. To use BGP, all you have to do is get some widely peered ISP to send a more specific route than the current one, as happened when Pakistan hosed Youtube. RPZ is not a bogeyman, since it doesn't actually do anything the US gov couldn't already make ATT.net and others already do, using CNAME or DNAME. It is useful, for those who are sick and tired of playing whack-a-mole with "Marko" and his friends. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.