[AusNOG] Australian senate passes controversial anti-piracy, website-blocking laws

Mark Andrews marka at isc.org
Wed Jun 24 10:18:38 EST 2015 

In message <alpine.DEB.2.11.1506240750280.32090 at motsugo.ucc.gu.uwa.edu.au>, James Andrewa
rtha writes:
> On Wed, 24 Jun 2015, Matt Palmer wrote:
> 
> > I, for one, applaud this Government's steps to encourage the adoption of 
> > DNSSEC. - Matt
> 
> DNSSEC is checked at the DNS server, not the client, so an ISP's DNS 
> server can still spoof DNS easily. See also why web browsers aren't caring 
> about DNSSEC.

DNSSEC is checked at the server *and* at the application.  This is
how it is designed to be deployed.  Checking at the resolver was a
first and necessary step in full DNSSEC deployment to protect the
cache and so that bogus answers are not passed on to the application
as it is not expected to have to talk directly to authoritative
servers.  Validating at the resolver also provides a measure of
protection for non DNSSEC aware applications by reduced the attack
space where spoofing can succeed.  For full protection the application
also needs to validation or otherwise secure the path from the
resolver to the application to prevent spoofing / tampering.

As for web browsers caring about DNSSEC you should see DANE, TLSA
and detection of CERTs signed by compromised / rogue CAs.  If your
web browser is not checking for TLSA records you should be asking
the vendor why not.  You should also be checking that you firewall
does not block TLSA lookups.  Some firewall vendors are idiots and
do this by default.  You should also check that your nameservers
properly handle TLSA queries.  REFUSED, NOTIMP, FORMERR and SERVFAIL
are not correct responses.

Mark

> -- 
> # TRS-80              trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \
> # UCC Wheel Member     http://trs80.ucc.asn.au/ #|  what squirrels do best     |
> [ "There's nobody getting rich writing          ]|  -- Collect and hide your   |
> [  software that I know of" -- Bill Gates, 1980 ]\  nuts." -- Acid Reflux #231 /
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the AusNOG mailing list