[rbldnsd] Feature request: DNSSEC
Lyle Giese
lyle at lcrcomputer.net
Thu Jul 10 22:29:58 MSD 2008
Michael Tokarev wrote:
> Victor Duchovni wrote:
>
>> On Thu, Jul 10, 2008 at 09:28:40AM -0700, Jeff Chan wrote:
>>
>>
>>> Hi Michael,
>>> In light of the recent DNS cache poisoning exploits identified,
>>> may I request DNSSEC for rbldnsd? Obviously this could add very
>>> significant overhead but it could help prevent alteration of DNS
>>> responses in a remote cache.
>>>
>> The SpamHaus PBL contains ~420 million logical RRsets. Each would have
>> to be individually signed. All the individual IPs in the zone (instead
>> of rather large efficiently stored CIDR blocks) would need a separate
>> record in the RBL zone file. Rsync feeds of PBL would become essentially
>> impossible.
>>
>
> Or let rbldnsd to sign replies on the fly, giving it the necessary key(s).
> It's a trade-off between being unrealistic and providing some protection.
> After all, signing key security isn't more important than the data it
> protects.
>
> But I still don't think it's necessary to implement. All this current
> fuzz about DNS insecurities, with "DNSSEC" written over everything...
> There are far more important points to attack than a DNSBL. And even
> if a DNSBL is being attacked, it's usually some sort of DDoS attack
> against DNSBL itself.
>
> /mjt
>
I think Michael is right. What is the gain from attacking DNSBL data?
How does the attacker make money? He makes money by steering web traffic
to compromised servers to push bot software to your desktop or to push
popups or ads to your desktop.
He does not make money attacking DNSBL data.
This whole thing is being driven by money and I don't see the attraction
in attacking DNSBL data. If he clears listed IP's, the content filters
after the DNSBL check will catch most of it. If he blocks your mail,
it's a DoS attack that will go away when the data clears in cache. And
the attacher is left with what?
Lyle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.corpit.ru/pipermail/rbldnsd/attachments/20080710/c7a08c53/attachment.html
More information about the rbldnsd
mailing list