Attacking networks using DHCP, DNS - probably kills DNSSEC NOT

Steven M. Bellovin smb at research.att.com
Mon Jun 30 08:19:37 PDT 2003


In message <ilubrwggo11.fsf_-_ at latte.josefsson.org>, Simon Josefsson writes:
>Bill Stewart <bill.stewart at pobox.com> writes:
>
>>>* Your laptop see and uses the name "yahoo.com.attackersdomain.com".
>>>   You may be able to verify this using your DNSSEC root key, if the
>>>   attackersdomain.com people have set up DNSSEC for their spoofed
>>>   entries, but unless you are using bad software or judgment, you will
>>>   not confuse this for the real "yahoo.com".
>>
>> The DNS suffix business is designed so that your laptop tries
>> to use "yahoo.com.attackersdomain.com", either before "yahoo.com"
>> or after unsuccessfully trying "yahoo.com", depending on implementation.
>> It may be bad judgement, but it's designed to support intranet sites
>> for domains that want their web browsers and email to let you
>> refer to "marketing" as opposed to "marketing.webservers.example.com",
>> and Netscape-derived browsers support it as well as IE.
>
>It can be a useful feature, but it does not circumvent DNSSEC in any
>way, that I can see.  DNSSEC see yahoo.com.attackersdomain.com and can
>verify that the IP addresses for that host are the one that the owner
>of the y.c.a.c domain publishes, and that is what DNSSEC delivers.
>The bad judgement I referred to was if your software, after DNSSEC
>verification, confuses yahoo.com with yahoo.com.attackersdomain.com.
>

It's also not a new problem -- see RFC 1535.


		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)





More information about the cypherpunks-legacy mailing list