nanog mailing list archives
Re: .gov DNSSEC operational message
From: Valdis.Kletnieks () vt edu
Date: Wed, 29 Dec 2010 11:15:02 -0500
On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said:
No cryptography can expose the difference between data that is correctly signed by the proper procedures and data that is correctly signed by a corrupt procedure.
Amen... Well, it *would* help detect an intruder that's smart enough to subvert the signing of the zones on the DNS server, but unable to also subvert the copy stored on some FTP site. Rather esoteric threat model, fast approaching the "Did you remember to take your meds?" level. Plus, if you're worried about foobar.com's zone being maliciously signed, do you *really* want to follow a pointer to www.foobar.com to fetch another copy? :)
Attachment:
_bin
Description:
Current thread:
- Re: .gov DNSSEC operational message, (continued)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 23)
- Re: .gov DNSSEC operational message Matt Larson (Dec 26)
- Re: .gov DNSSEC operational message Doug Barton (Dec 28)
- Re: .gov DNSSEC operational message - picking a fight bmanning (Dec 28)
- Re: .gov DNSSEC operational message - picking a fight Doug Barton (Dec 28)
- Re: .gov DNSSEC operational message - picking a fight Tony Finch (Dec 29)
- Re: .gov DNSSEC operational message - picking a fight bmanning (Dec 29)
- Re: .gov DNSSEC operational message Matt Larson (Dec 26)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Robert E. Seastrom (Dec 29)
- Re: .gov DNSSEC operational message Tony Finch (Dec 29)
- Re: .gov DNSSEC operational message Valdis . Kletnieks (Dec 29)
- Re: .gov DNSSEC operational message bmanning (Dec 29)
- Re: .gov DNSSEC operational message Tony Finch (Dec 30)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 30)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 23)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message jamie rishaw (Dec 27)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Kevin Oberman (Dec 28)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Kevin Oberman (Dec 28)