ting botnet's C&C network or redirect
users to malware. If the location of the RPZ servers is hidden,
diagnosing network problems becomes much more difficult. This has the
net effect of making the DNS less reliable.
The widespread use of captive portals has already made implementation of
e
> Could you explain in more detail why you don't believe operators will
> continue to use RPZ to protect their users, and why you think hostile
> actors will do things with RPZ that they couldn't do now?
I was specifically asking about the redirect/record replace
r IETF & WG change control. If that's not the intent, then the
document should not be adopted.
--
Scott Schmit
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
On Sun, Dec 18, 2016 at 07:59:44PM +, Tony Finch wrote:
> Scott Schmit wrote:
> > This doesn't magically make it possible for this DNS firewall to forge
> > DNSSEC-signed data, so if a validating end-system is going to have its
> > behavior modified, it would need to
t would highlight
where this is being used, since only affected domains would have their
lookups broken. The natural counter to that would be to deliberately
break DNSSEC everywhere to blind end-users to where they're being lied
to.
So this, if implemented, is ultimately a DNSSEC-killer.
--
er?
Perhaps you're thinking of this expired draft: draft-hoffman-server-has-tls?
--
Scott Schmit
smime.p7s
Description: S/MIME cryptographic signature
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
On Mon, Apr 16, 2012 at 08:32:59AM -0700, David Conrad wrote:
> On Apr 16, 2012, at 4:52 AM, Scott Schmit wrote:
> > Please explain how operators will prevent this, and why they can
> > afford to remove a zone from the NTA list (while it is still
> > failing) but couldn
On Sun, Apr 15, 2012 at 09:24:35PM -0700, David Conrad wrote:
> On Apr 15, 2012, at 6:28 PM, Scott Schmit wrote:
> > It's manual for now...until the utter lack of consequences for screwing
> > up (everybody can still get to the broken zones just fine) junks up the
> > N
themselves, they don't see the ISP
page, but all DNS resolvers look the same to them (i.e., switching to
8.8.8.8 won't fix it) so they'll eventually realize its their own
machine, etc.
I'm not entirely sure I like that solution, but I think I like it
better.
--
Scott Schmit
spam
blacklists), then there's something to talk about, but in that case
I'd want it to be secured via DNSSEC, and let's hope the operators of
those don't screw up or start blacklisting each other. (Either on
purpose or due to unfortunate timing.)
Attacking DLNV zones would have
10 matches
Mail list logo