On Wed, 17 Feb 2010, Phillip Hallam-Baker wrote:
One of the big fallacies of DNSSEC is the idea that providing clients
access to the unfiltered authoritative DNS source is the same as
securing the DNS. That was the case when DNSSEC was designed, today
most endpoints would prefer to opt to connect to some sort of filtered
DNS with malware and crimeware sites removed.
"most"? That's quite the claim. If so, then opendns and friends would be
much busier rewriting our DNS packets.
The biggest DNS security vulnerability is in the information that is
input to the DNS publication service. Most hijacking schemes have been
due to attacks on registrars.
I thought the most used hijacking schemes used dancing hamsters or nude Britney
Spears promises to install a new version of SYSTEM32\etc\hosts. In fact, it was
so bad that Microsoft even hardcoded their own update servers IP's in their
I have only heard of 2 or 3 attacks via registrar accounts. I've heard of many
more compromised caches and hosts files.
But I look forward to your substantiation that "most" of us prefer our DNS to
be rewritten for security and saving us from typos by redirecting us to
advertisement servers (malicious or not)
Ietf mailing list