Re: Hey, SiteFinder is back, again...

• Previous message: Steven M. Bellovin: "Re: Hey, SiteFinder is back, again..."
• In reply to: Steven M. Bellovin: "Re: Hey, SiteFinder is back, again..."
• Next in thread: Tim Wilde: "Re: Hey, SiteFinder is back, again..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Nov 5, 2007, at 11:54 AM, Steven M. Bellovin wrote:
>> On Nov 5, 2007, at 8:23 AM, David Lesher wrote:
>>> What affect will Allegedly Secure DNS have on such provider
>>> hijackings, both of DNS and crammed-in content?
>>
>> If what Verizon is doing is rewriting NXDOMAIN at their caching
>> servers, DNSSEC will _not_ help. Caching servers do the validation
>> and the insertion of the search engine IP addresses in the response
>> would occur after the validation.
>>
> Depends on whether or not the endpoints delegate DNSSEC validation to
> Verizon. They don't have to.

Right. People can run their own caching servers and can set up those
servers to do DNSSEC validation after setting up (and maintaining)
trust anchors for any DNSSEC signed zone they might want to validate.
Of course, if they do this, the NXDOMAIN redirection won't be an
issue since the customer will be bypassing the caching server that is
doing the redirection...

As an aside, I note that Verizon is squatting on address space
allocated to APNIC. From the self-help web page offered to opt out
of this "service" (specific to the particular hardware customers
might be using, e.g., http://netservices.verizon.net/portal/link/help/
item?case=c32535), they state:

"5. Change the last octet of the Primary & Secondary DNS Server
addresses to 14.

Example:

You look up the DNS information and the server numbers are:
123.123.123.12 Primary DNS
123.123.123.12 Secondary DNS
You would change the addresses to the following when statically
assigning them to the computer or modem/router.
123.123.123.14 Primary DNS
123.123.123.14 Secondary DNS
Note that the .14 is the special set of servers that will opt you out
of the DSN Assistance program."

123.0.0.0/8 is delegated to APNIC who have allocated it to CNC Group
in China:

% whois -h whois.apnic.net 123.123.123.0
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 123.112.0.0 - 123.127.255.255
netname: CNCGROUP-BJ
descr: CNCGROUP Beijing province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
country: CN
...

Regards,
-drc

• Previous message: Steven M. Bellovin: "Re: Hey, SiteFinder is back, again..."
• In reply to: Steven M. Bellovin: "Re: Hey, SiteFinder is back, again..."
• Next in thread: Tim Wilde: "Re: Hey, SiteFinder is back, again..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]