[dnssec-deployment] Washington Post DNS hijack story
thierry.moreau at connotech.com
Fri Apr 24 16:39:23 EDT 2009
Paul Wouters wrote:
> On Fri, 24 Apr 2009, Frederico A C Neves wrote:
>> On Fri, Apr 24, 2009 at 07:56:14AM -0700, Richard Lamb wrote:
>> DNSSEC would help nothing here. This was a remote OS exploit and local
>> zone configuration at the recursive DNS servers.
> The validating stub with DNS forwarder scheme as in fedora-11 would not
> been fooled by a compromised upstream cache.
Great! I guess this is a milestone in DNSSEC deployment: a validating
resolver within an application software that is an *effective
countermeasure* to an *actual fraud scheme* making the headlines.
As IT security experts, we all knew this countermeasure in an end-to-end
deployment scheme had non trivial value. Now, it is a landmark for
those who question the effectiveness of DNSSEC integrity protection,
and/or who are looking for arguments for deployment.
Suggestion: What about some coverage of this effective countermeasure in
DNSSEC this month?
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Canada H2M 2A1
web site: http://www.connotech.com
e-mail: thierry.moreau at connotech.com
More information about the Dnssec-deployment