In message <20111220133723.cfjv8g999ssoc8gg@fcaglp.fcaglp.unlp.edu.ar>, "Eduard o A. =?iso-8859-1?b?U3XhcmV6?=" writes:
Hi,
what if evil guys hack my mom ISP DNS servers and use RPZ to redirect =20 traffic from mom_bank.com to evil.com?
How can she detect this?
The bank signs their zone and mum's machine validates the answers it gets from the ISP. This is not rocket science. This is not beyond the capabilities of even the smallest client that mom would use to talk to the bank. This is how DNSSEC was designed to be used. Validating in the resolver protects the resolver itself and the cache from pollution. It also protects non DNSSEC aware clients from upstream of the resolver threats. It was always expected that clients would validate answers themselves. Mark
Eduardo.-
--=20 Eduardo A. Suarez Facultad de Ciencias Astron=F3micas y Geof=EDsicas - UNLP FCAG: (0221)-4236593 int. 172/Cel: (0221)-15-4557542/Casa: (0221)-4526589
---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org