nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: .gov DNSSEC operational message

From: bmanning () vacation karoshi com
Date: Wed, 29 Dec 2010 16:56:52 +0000
On Wed, Dec 29, 2010 at 11:15:02AM -0500, Valdis.Kletnieks () vt edu wrote:

On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said:

No cryptography can expose the difference between data that is correctly
signed by the proper procedures and data that is correctly signed by a corrupt
procedure.


Amen...

Well, it *would* help detect an intruder that's smart enough to  subvert the
signing of the zones on the DNS server, but unable to also subvert the copy
stored on some FTP site. Rather esoteric threat model, fast approaching
the "Did you remember to take your meds?" level.


        presuposes the attack was server directed.  the DNS-sniper will take
        out your locally configured root KSK &/or replace it w/ their own.
        no need to "carpet-bomb" all users of the vt.edu caches - right?


Plus, if you're worried about foobar.com's zone being maliciously signed, do
you *really* want to follow a pointer to www.foobar.com to fetch another copy? :)


        who intimated that the OOB channel would be http?  since that is based
        on the DNS, i'd like to think it was suspect as well. :)

--bill
Previous By Date Next
Previous By Thread Next

Current thread: