In message <ilubrwggo11.fsf_-_@latte.josefsson.org>, Simon Josefsson writes:

Bill Stewart <bill.stewart@pobox.com> writes:

...

...

* Your laptop see and uses the name "yahoo.com.attackersdomain.com". You may be able to verify this using your DNSSEC root key, if the attackersdomain.com people have set up DNSSEC for their spoofed entries, but unless you are using bad software or judgment, you will not confuse this for the real "yahoo.com".

The DNS suffix business is designed so that your laptop tries to use "yahoo.com.attackersdomain.com", either before "yahoo.com" or after unsuccessfully trying "yahoo.com", depending on implementation. It may be bad judgement, but it's designed to support intranet sites for domains that want their web browsers and email to let you refer to "marketing" as opposed to "marketing.webservers.example.com", and Netscape-derived browsers support it as well as IE.

It can be a useful feature, but it does not circumvent DNSSEC in any way, that I can see. DNSSEC see yahoo.com.attackersdomain.com and can verify that the IP addresses for that host are the one that the owner of the y.c.a.c domain publishes, and that is what DNSSEC delivers. The bad judgement I referred to was if your software, after DNSSEC verification, confuses yahoo.com with yahoo.com.attackersdomain.com.

It's also not a new problem -- see RFC 1535. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (2nd edition of "Firewalls" book)