David Conrad wrote:
NEW ATTACK TECHNIQUE THREATENS BROADBAND USERS
...
As noted, dnssec can protect against spoofed dns info.
Except DNSSEC wouldn't really be applicable.
I know, it would be sloppy use of terms, but when I read the thread I "included" TSIG under the DNSSEC item. That could help, unless the shared secret gets easily compromised, too, and it probably would, assuming that java* or active* is enabled ;-)
The attack (as I understand it) provides a new IP address (that of an attacker-owned caching resolver) to clients on a LAN attached to the broadband router, with the attacker-owned caching resolver returning answers to stub resolver queries. Since validation is done at the caching resolver, DNSSEC wouldn't apply.
Rgds, -drc
Wilfried.