In message <[EMAIL PROTECTED]>, Simon Josefsson writes:
>Bill Stewart <[EMAIL PROTECTED]> writes:
>
>>>* Your laptop see and uses the name "yahoo.com.attackersdomain.com".
>>> You may be able to verify this using your DNSSEC root key, if the
>>> attackersdomain.com people have set up DNSSEC for their spoofed
>>> entries, but unless you are using bad software or judgment, you will
>>> not confuse this for the real "yahoo.com".
>>
>> The DNS suffix business is designed so that your laptop tries
>> to use "yahoo.com.attackersdomain.com", either before "yahoo.com"
>> or after unsuccessfully trying "yahoo.com", depending on implementation.
>> It may be bad judgement, but it's designed to support intranet sites
>> for domains that want their web browsers and email to let you
>> refer to "marketing" as opposed to "marketing.webservers.example.com",
>> and Netscape-derived browsers support it as well as IE.
>
>It can be a useful feature, but it does not circumvent DNSSEC in any
>way, that I can see. DNSSEC see yahoo.com.attackersdomain.com and can
>verify that the IP addresses for that host are the one that the owner
>of the y.c.a.c domain publishes, and that is what DNSSEC delivers.
>The bad judgement I referred to was if your software, after DNSSEC
>verification, confuses yahoo.com with yahoo.com.attackersdomain.com.
>
It's also not a new problem -- see RFC 1535.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)
