[dnssec-deployment] Washington Post DNS hijack story
Leo Vegoda
leo.vegoda at icann.org
Fri Apr 24 16:57:18 EDT 2009
On 24/04/2009 1:39, "Thierry Moreau" <thierry.moreau at connotech.com> wrote:
[...]
>>> DNSSEC would help nothing here. This was a remote OS exploit and local
>>> zone configuration at the recursive DNS servers.
>>
>> The validating stub with DNS forwarder scheme as in fedora-11 would not
>> have
>> been fooled by a compromised upstream cache.
>
> Great! I guess this is a milestone in DNSSEC deployment: a validating
> resolver within an application software that is an *effective
> countermeasure* to an *actual fraud scheme* making the headlines.
It's a welcome development. But presumably if Fedora-11 was the targeted OS,
the validating stub resolver would have been disabled or subverted to give
the answers the assailant wanted used.
Regards,
Leo
More information about the Dnssec-deployment
mailing list