[dnssec-deployment] AP: "Use of Rogue DNS servers on rise"
Richard Lamb
richard.lamb at icann.org
Mon Feb 18 13:27:27 EST 2008
I thought the idea was to use the TPM chip to store/sign trust anchors
or is that being deprecated given MSFT's abandonment of NGSCB?
Otmar Lendl wrote:
> On 2008/02/16 01:02, Phil Regnauld <regnauld+dnssec at catpipe.net> wrote:
>> http://ap.google.com/article/ALeqM5ifrgeDBfUGAvXtLH_vgVrKcm0s_wD8UPLR8O1
>
> [...]
>
>> People
>> usually automatically use the DNS servers of their Internet providers,
>> but the recent wave of attacks modify the settings on victims'
>> computers to send traffic to rogue DNS servers.
>
> I'm wondering what DNSSEC can help.
>
> If the client PC doesn't do DNSSEC, and uses tsig to a trusted resolver
> then a simple change of the IP address in the resolv.conf (or
> equivalent) will be noticed.
>
> The malware can work around that by either disabling the tsig protection
> or changing the stored key. The user won't notice this.
>
> If the client PC does do the full DNSSEC processing itself, then the
> malware needs to manipulate the stored trust anchors to break the
> system once again.
>
> As I see it: DNSSEC could help you against attackers who manipulate
> foreign servers or data in transit, but once you can't trust your own
> computer, you're lost nevertheless.
>
> Current malware already routinely disables anti-virus software. The
> change to also disable DNSSEC settings seems rather trivial.
>
> Or do I view this too pessimistic once again?
>
> /ol
> --
> -=- Otmar Lendl -- ol at bofh.priv.at -=-
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
More information about the Dnssec-deployment
mailing list