> From: Warren Kumari <war...@kumari.net>
> >> I suspect they're more interested in getting "registry lock" in place
> >> rather than DNSSEC.
> >> Most of the attacks against Google have involved changing the name servers
> >> completely ..
> >
> > Through social engineering and sometimes through directed attacks, yes.
>
> Sadly yes.
I trust we all agree that cache attacks with non-random ports,
fragmentation, or padding are irrelevant except perhaps indirectly
through the general (lack of) value of DNSSEC that I claim better
prevents cache attacks than random ports.
Wouldn't DNSSEC have not made things worse and possibly made them
better by:
- making the social engineering more difficult by forcing the bad
guys to change key as well as NS RRs
- possibly making the bogus records fail to validate for a while
at the start of the attack, thanks what might look like an
unplanned KSK change.
- possibly making the bogus records fail to validate sooner and so
get ignored sooner after the registrar records are restored, again
thanks to what might look like an unplanned KSK change.
Vernon Schryver v...@rhyolite.com
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
