* Alex Bligh:
--On 26 March 2005 23:23 +0100 Florian Weimer <fw@deneb.enyo.de> wrote:
Should we monitor for evidence of hijacks (unofficial NS and SOA records are good indicators)? Should we actively scan for authoritative name servers which return unofficial data?
And what if you find them?
If leaking unofficial data were considered a capital offense (in Internet terms), many ISPs would take action. Apparently, it's not, so detection is pretty much pointless.
The only way you are going to prevent packet level (as opposed to organization level) DNS hijack is get DNSSEC deployed.
DNS cache poisoning (at least in the form which prompted me to start this thread) is a quality-of-implementation issue. DNSSEC will not magically increase code quality (but it will definitely increase complexity), that's why I don't share the enthusiasm of the DNSSEC crowed. 8->