On 01/26/2014 01:30 PM, Andrew McGlashan wrote: > On 25/01/2014 7:39 PM, Emmanuel Thierry wrote: >> Then DNSSEC appeared ! :) > > I wish it was that simple .... I don't believe it is today, but one day > it will have to be the standard. > >> I remind you it is really difficult to compromise DNS zones protected by >> DNSSEC, even if you have control on root DNS servers (they probably have it) >> and the knowledge of the complete root DNS key (they likely don't have it). >> >> There is no point in considering DNS as compromised, since it would be much >> easier (and as difficult to hide) to subvert IP routing. By the way if you >> succeeded in redirecting DNS traffic to your box, you probably have the >> power of redirecting all the traffic to your box. > > It is technically very easy to compromise DNS for many people. It often > surprises me that people don't question absolutely whether or not a > webpage is legitimate, they almost always take it on faith unless there > is something very obviously wrong and even then the person will take > some convincing (especially the lesser educated on these matters). > > Kind Regards > AndrewM
I think the MITM attacks that the NSA does on the core internet routers are likely based on IP rather than DNS. The reports talk about the system is setup to respond before any of the real servers can. So my guess is that they are replying to ARPs, thereby claiming an IP. Just a guess... .hc -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52e82a63.4010...@at.or.at
