Full Disclosure mailing list archives
Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion)
From: Mark Andrews <Mark_Andrews () isc org>
Date: Wed, 16 Jul 2008 11:17:07 +1000
The real problem isn't signing or resigning zones, or even successfully=20 completing the original configuration (although those are not trivial for=20 the average person trying to setup their own dns). It's the trust=20 anchors. Until the root is signed, trust anchors are a PITA. And until=20 the root is signed, why should anyone believe that DNSSEC will achieve=20 wide adoption?
Well there are a number of ccTLD's that are already signed. RIPE sign their part of the reverse space. ORG is in the process of getting signed. It's happening. There are existing solutions to dealing with lack of support in the infrastructure zones (includes the root). You let someone you trust collect the trust anchors for you then incorporate them on a regular basis. We effectively do this everyday with https but for some reason people are scared to do the same thing with dns despite private parts of the keys never being available to the entity doing the certification. With https the certifying authority can spoof any site they certify. Mark
Paul Schmehl If it isn't already obvious, my opinions are my own and not those of my employer.
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews () isc org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion), (continued)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) eugaaa () gmail com (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) eugaaa () gmail com (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Valdis . Kletnieks (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 14)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Mark Andrews (Jul 14)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Mark Andrews (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) FRLinux (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Mark Andrews (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Mark Andrews (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Mark Andrews (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Valdis . Kletnieks (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Robert Holgstad (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Mark Andrews (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Nick FitzGerald (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Rob (Jul 15)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Ureleet (Jul 15)