Those are the DNS protocol mechanisms in place. There is also lower level security technologies such as IPsec that could be used between stub clients and recursive servers that don't rely on DNSSEC at all.
It depends on the network the client and recursive server are on. Scott John Schnizlein wrote: > RFC 2845 - Secret Key Transaction Authentication for DNS (TSIG) > > This protocol allows for transaction level authentication using shared > secrets and one way hashing. It can be used to authenticate dynamic > updates as coming from an approved client, or to authenticate responses > as coming from an approved recursive name server. > > or > > RFC 3645 - Generic Security Service Algorithm for Secret Key > Transaction Authentication for DNS (GSS-TSIG) > > The Secret Key Transaction Authentication for DNS (TSIG) protocol > provides transaction level authentication for DNS. TSIG is extensible > through the definition of new algorithms. This document specifies an > algorithm based on the Generic Security Service Application Program > Interface (GSS-API) (RFC2743). This document updates RFC 2845. > > > On 2009Apr23, at 6:32 AM, ÂíµÏ wrote: > >> Hi, folks. >> >> As we all know, DNSSEC provides origin authentication and integrity >> assurance services for DNS data exchanged between DNS resolver and >> name-sever, while DNSSEC fails to give a means by which the DNS >> queries or responses transmitted between a host and a recursive server >> could be guaranteed integrity and authentication. For example, a >> malicious attacker might hijack the DNS query form a host and fake a >> response which will help he commit phishing. So I wonder, is there >> someone having a certain solution, more exactly a software >> implementation on host, to protect against such attack? >> >> 2009-04-23 >> [email protected] > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop > -- ---------------------------------------- Scott Rose Computer Scientist NIST ph: +1 301-975-8439 [email protected] http://www-x.antd.nist.gov/dnssec http://www.dnsops.gov/ ----------------------------------------- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
