North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Hey, SiteFinder is back, again...

  • From: Mark Andrews
  • Date: Mon Nov 05 20:36:41 2007

In article <[email protected]> you write:
>On Nov 5, 2007, at 8:23 AM, David Lesher wrote:
>> What affect will Allegedly Secure DNS have on such provider
>> hijackings, both of DNS and crammed-in content?
>If what Verizon is doing is rewriting NXDOMAIN at their caching  
>servers, DNSSEC will _not_ help.  Caching servers do the validation  
>and the insertion of the search engine IP addresses in the response  
>would occur after the validation.

	All you have to do is move the validation to a machine you
	control to detect this garbage. 

		dnssec-enable yes;
		dnssec-validation yes;
		forward only;
		forwarders { <Verizon's caching servers>; };
		dnssec-lookaside . trust-anchor <dlv registry>;

	All lookups which Verizon has interfered with from signed zones
	will fail.