DNS cache poisoning attacks -- are they real?
Joe Abley
jabley at isc.org
Sun Mar 27 00:32:18 UTC 2005
Le 26 mars 2005, à 17:52, Sean Donelan a écrit :
> You forgot the most important requirement, you have to be using
> insecure, unpatched DNS code (old versions of BIND, old versions of
> Windows, etc). If you use modern DNS code and which only follows
> trustworthy pointers from the root down, you won't get hooked by
> this.
The obvious rejoinder to this is that there are no trustworthy pointers
from the root down (and no way to tell if the root you are talking to
contains genuine data) unless all the zones from the root down are
signed with signatures you can verify and there's a chain of trust to
accompany each delegation.
If you don't have cryptographic signatures in the mix somewhere, it all
boils down to trusting IP addresses.
Joe
More information about the NANOG
mailing list