On Mon, Dec 07, 2015 at 08:49:03AM -0500, Matthew Miller wrote: > On Mon, Dec 07, 2015 at 10:17:20AM +0100, Tomas Hozza wrote: > > > Older Netgear routers also used http://routerlogin.net before they were > > > set up. > > If they don't own the domain, then this is simply hijacking of domain > > name space, which is not owned by them. It is expected, that these > > "clever ideas" will not work with DNSSEC. > > FWIW, they _do_ own the domain.
True, though the A record does not exist. Since there's no DS record either, the domain is not secured and the spoofing will still work as long as the local name server uses the name server provided by the router for its answers. I think this is the default as long as the router supports recursive resolution, EDNS0, and doesn't corrupt RRSIG/NSEC/... records. -- Scott Schmit
smime.p7s
Description: S/MIME cryptographic signature
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
