Hey, SiteFinder is back, again...

David Conrad drc at virtualized.org
Tue Nov 6 02:16:58 UTC 2007


Mark,

On Nov 5, 2007, at 5:31 PM, Mark Andrews wrote:
> 	All you have to do is move the validation to a machine you
> 	control to detect this garbage.

You probably don't need to bother with DNSSEC validation to stop the  
Verizon redirection.  All you need do is run a caching server.

> 		dnssec-enable yes;
> 		dnssec-validation yes;
> 		forward only;
> 		forwarders { <Verizon's caching servers>; };

Why bother forwarding?

> 		dnssec-lookaside . trust-anchor <dlv registry>;

You forgot the bit where everybody you want to do a DNS lookup on  
signs (and maintains) their zones and trusts and registers with <dlv  
registry> (of which there is exactly one that I know of and that one  
has 17 entries in it the last I looked).   You also didn't mention  
that everyone doing this will reference the DLV registry on every non- 
cached lookup.  Puts a _lot_ of trust (both security wise and  
operationally) in <dlv registry>...

> 	All lookups which Verizon has interfered with from signed zones
> 	will fail.

Yeah, and Verizon customers would get a timeout (after how long?)  
instead of a more quickly returned A (or maybe a AAAA) RR to a  
Verizon controlled search engine.  Not really sure the cure is better  
than the disease.  Also not sure what the point is -- most common  
typos are already squatted upon and validly registered to a adsense  
pay-per-click web page, typically a search engine (e.g.,  
www.baknofamerica.com).  Seems to me the slimeballs have won yet  
again...

Regards,
-drc




More information about the NANOG mailing list