On Wed, Jun 24, 2015 at 05:06:10PM -0400, James B. Byrne wrote:
> We run our own name-servers for our domains. In other words we have
> the delegation for harte-lyne.ca, harte-lyne.com, and so forth. We
> also have the delegation for our cat C netblocks and provide the DNS
> reverse lookups form our own name-servers. Our name-servers reside on
> the same network segments as our mail servers. All our host
> resolvers, not just the mail server hosts, are configured to only use
> our internal name-servers by ip address. Those hosts that have an
> instance of named running also have 127.0.0.1 listed first.
This is not enough, any rogue device attached to the same network
can arp-cache poison any host and compromise DNSSEC on any host
where 127.0.0.1 is not the only listed nameserver.
> Given these conditions it is difficult for me to imagine a
> circumstance where a mitm attack would be possible.
And yet it is simple for any attacker attached to your network.
If you want DANE, limit the nameservers to just 127.0.0.1. Make
sure the local resolver is always running.
--
Viktor.
