26 Mar
2005
26 Mar
'05
7:32 p.m.
Le 26 mars 2005, à 17:52, Sean Donelan a écrit :
You forgot the most important requirement, you have to be using insecure, unpatched DNS code (old versions of BIND, old versions of Windows, etc). If you use modern DNS code and which only follows trustworthy pointers from the root down, you won't get hooked by this.
The obvious rejoinder to this is that there are no trustworthy pointers from the root down (and no way to tell if the root you are talking to contains genuine data) unless all the zones from the root down are signed with signatures you can verify and there's a chain of trust to accompany each delegation. If you don't have cryptographic signatures in the mix somewhere, it all boils down to trusting IP addresses. Joe