On Mon, Feb 25, 2008 at 3:15 AM, Robin Whittle <[EMAIL PROTECTED]> wrote: > How would you secure each ITR from bogus map replies which pretend > to be from the authoritative nameserver?
Hi Robin, TRRP relies on mostly on security mechanisms present in DNS itself. The request includes a serial number. The same serial number has to be in the reply. Unsolicited replies and replies containing information outside their scope of authority are ignored. This is generally effective. Google has not suffered much in the way of DNS hijacking above the worm-changes-client-dns-resolver level. Neither has anyone else. The attacks you've heard of, such as cache poisoning, trace to bugs where the above two requirements were misimplemented. DNSSEC is compatible with TRRP as far as I can tell, but it's not required. DNSSEC has not been widely adopted because the operations-level need has not demonstrated itself. I bet the question you want to ask is: how would TRRP have handled this weekend's YouTube hijacking? That's hard to say with certainty since BGP doesn't completely go away with TRRP. A bad actor with access to the DFZ's BGP system can do significant if temporary damage and TRRP doesn't fundamentally change that. Presumably AS 17557 is large enough that they'll still be talking BGP with at least one short PA prefix at their border. On the TRRP/DNS side of things, they could trivially effect an intercept and rewrite of the DNS lookup requests for YouTube's ETR from within Pakistan. On the other hand, getting that to leak without fouling something up on the BGP side would be as close to impossible as any such things tend to get. TRRP doesn't draw traffic with a knowledge push so there's no path for the intercept knowledge to flow through. Regards, Bill Herrin -- William D. Herrin [EMAIL PROTECTED] [EMAIL PROTECTED] 3005 Crane Dr. Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004 -- to unsubscribe send a message to [EMAIL PROTECTED] with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg
