DNS cache poisoning attacks -- are they real?

Sean Donelan sean at donelan.com
Sun Mar 27 01:15:40 UTC 2005

On Sat, 26 Mar 2005, Joe Abley wrote:
> The obvious rejoinder to this is that there are no trustworthy pointers
> from the root down (and no way to tell if the root you are talking to
> contains genuine data) unless all the zones from the root down are
> signed with signatures you can verify and there's a chain of trust to
> accompany each delegation.
> If you don't have cryptographic signatures in the mix somewhere, it all
> boils down to trusting IP addresses.

Signatures don't create trust.  A signature can only confirm an existing
trust relationship.  DNSSEC would have the same problem, where do you get
the trustworthing signatures?  By connecting to the same root you don't

As a practical matter, you can stop 99% of the problems with a lot less
effort.  Why has SSH been so successful, and DNSSEC stumbled so badly?

Always initiate the call yourself. Always check the nonce in the
answer. Never accept unsolicited data. Never accept answers to questions
you didn't ask.

Besides, if you don't trust IP addresses even if the entire DNS tree
was signed by trustworthy keys I'd just hijack the IP address in the DNS
answer anyway.  Quarantine NAT is very good at this.

More information about the NANOG mailing list