Blocking International DNS

Joe Abley jabley at hopcount.ca
Mon Nov 22 15:48:10 UTC 2010


On 2010-11-22, at 10:43, Joe Greco wrote:

> It's funny, isn't it, didn't we just finish convincing the government
> of the need for DNSSEC, making the DNS system more resistant to some
> forms of tampering?

I guess if the manner of the interception was to send back SERVFAIL to DNS clients whose queries were (in some sense) objectionable, the result would be that the clients were not able to resolve the (in some sense) bad names. This would in effect be a selective denial of service attack to DNS clients.

DNSSEC provides no integrity protection over that type of interference -- you need to get an answer for the answer to have a signature, and without a signature there's nothing to check.


Joe





More information about the NANOG mailing list