what if...?

Michael Sinatra michael at rancid.berkeley.edu
Tue Dec 20 11:46:11 CST 2011


On 12/20/11 09:31, Valdis.Kletnieks at vt.edu wrote:
> On Tue, 20 Dec 2011 17:16:06 GMT, bmanning at vacation.karoshi.com said:
>
>> 	the one difference is that ISC will be shipping RPZ enabled code v.
>> 	the blackhat having to hack the machine and modify the configuration.
>
> EIther way, the blackhat still has to hack the machine and modify the config.
> The only difference is what config change they make.

Yes and...

If you have a really insecure DDNS update mechanism on your master RPZ 
zone, then I can see how RPZ might lower the bar *a little*, but I have 
to stretch my imagination quite a bit for that to happen.

If your ISP doesn't use RPZ (regardless of whether the code is present 
in BIND), then the bad guy has to hack the box, set up an RPZ 
configuration, and then pollute it with bad data.  Much easier to just 
install a bunch of fake zones.

RPZ is a red herring here.

michael



More information about the NANOG mailing list