nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: .gov DNSSEC operational message

From: Valdis.Kletnieks () vt edu
Date: Wed, 29 Dec 2010 11:15:02 -0500
On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said:

No cryptography can expose the difference between data that is correctly
signed by the proper procedures and data that is correctly signed by a corrupt
procedure.


Amen...

Well, it *would* help detect an intruder that's smart enough to  subvert the
signing of the zones on the DNS server, but unable to also subvert the copy
stored on some FTP site. Rather esoteric threat model, fast approaching
the "Did you remember to take your meds?" level.

Plus, if you're worried about foobar.com's zone being maliciously signed, do
you *really* want to follow a pointer to www.foobar.com to fetch another copy? :)

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: