nanog mailing list archives

Re: Exploit for DNS Cache Poisoning - RELEASED

From: Valdis.Kletnieks () vt edu
Date: Thu, 24 Jul 2008 21:05:00 -0400

On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:

On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:

The problem is, once the ICANNt root is self-signed, the hope of ever
revoking that dysfunctional mess as authority is gone.

As far as I'm aware, as long as the KSK isn't compromised, changing  
the organization who holds the KSK simply means waiting until the next  
KSK rollover and have somebody else do the signing.


That's true if the ICANN KSK is signed *by some other entity* - that entity
can then force a change by signing some *other* KSK for the next rollover.

If the ICANN key is self-signed as Tomas hypothesizes, then that leverage
evaporates.
If

Attachment: _bin
Description:

Current thread:

Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning -, (continued)
- - - Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning - Paul Vixie (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED Paul Ferguson (Jul 23)
  - Re: Exploit for DNS Cache Poisoning - RELEASED Jorge Amodio (Jul 24)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Steven M. Bellovin (Jul 24)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Jorge Amodio (Jul 24)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Paul Vixie (Jul 24)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Paul Vixie (Jul 24)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Eric Brunner-Williams (Jul 24)
    - RE: Exploit for DNS Cache Poisoning - RELEASED Tomas L. Byrnes (Jul 24)
    - Re: Exploit for DNS Cache Poisoning - RELEASED David Conrad (Jul 24)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Valdis . Kletnieks (Jul 24)
    - Re: Exploit for DNS Cache Poisoning - RELEASED David Conrad (Jul 25)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Alexander Harrowell (Jul 25)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Paul Vixie (Jul 25)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Pete Carah (Jul 25)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Graeme Fowler (Jul 25)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Graeme Fowler (Jul 25)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Florian Weimer (Jul 26)
    - RE: Exploit for DNS Cache Poisoning - RELEASED Tomas L. Byrnes (Jul 25)
    - Re: Exploit for DNS Cache Poisoning - RELEASED Paul Vixie (Jul 24)
  - Re: Exploit for DNS Cache Poisoning - RELEASED Sean Donelan (Jul 24)