North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Hey, SiteFinder is back, again...

  • From: David Conrad
  • Date: Mon Nov 05 21:22:36 2007


On Nov 5, 2007, at 5:31 PM, Mark Andrews wrote:
	All you have to do is move the validation to a machine you
	control to detect this garbage.

You probably don't need to bother with DNSSEC validation to stop the Verizon redirection. All you need do is run a caching server.

		dnssec-enable yes;
		dnssec-validation yes;
		forward only;
		forwarders { <Verizon's caching servers>; };

Why bother forwarding?

dnssec-lookaside . trust-anchor <dlv registry>;

You forgot the bit where everybody you want to do a DNS lookup on signs (and maintains) their zones and trusts and registers with <dlv registry> (of which there is exactly one that I know of and that one has 17 entries in it the last I looked). You also didn't mention that everyone doing this will reference the DLV registry on every non- cached lookup. Puts a _lot_ of trust (both security wise and operationally) in <dlv registry>...

	All lookups which Verizon has interfered with from signed zones
	will fail.

Yeah, and Verizon customers would get a timeout (after how long?) instead of a more quickly returned A (or maybe a AAAA) RR to a Verizon controlled search engine. Not really sure the cure is better than the disease. Also not sure what the point is -- most common typos are already squatted upon and validly registered to a adsense pay-per-click web page, typically a search engine (e.g., Seems to me the slimeballs have won yet again...