ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf] DNS spoofing at captive portals

2010-09-26 11:27:11
from [Tony Finch] [Permanent Link] 
On 25 Sep 2010, at 01:16, John Levine <johnl(_at_)iecc(_dot_)com> wrote:


Plan C: Sophisticated ISPs might configure their own DNSSEC key into
customer resolvers, and sign replacement records with that.


DNSSEC's validation model makes this basically impossible. The customer 
resolvers would have to know ahead of time which names will be overridden by 
their ISP and so may be validated by the extra trust anchor.

Plan D: ISPs that want to block the DNS for evil domains just return a server 
failure response for the appropriate queries.

See also Paul Vixie's RPZ proposal.

Tony.
--
f.anthony.n.finch  <dot(_at_)dotat(_dot_)at>  http://dotat.at/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf] DNS spoofing at captive portals, John R. Levine
Next by Date:  Re: Discussion of draft-hardie-advance-mechanics-00.txt, SM
Previous by Thread:  Re: [ietf] DNS spoofing at captive portals, W.C.A. Wijngaards
Next by Thread:  Re: [ietf] DNS spoofing at captive portals, Phillip Hallam-Baker
Indexes:  [Date] [Thread] [Top] [All Lists]