nanog mailing list archives
Re: .gov DNSSEC operational message
From: bmanning () vacation karoshi com
Date: Wed, 29 Dec 2010 16:56:52 +0000
On Wed, Dec 29, 2010 at 11:15:02AM -0500, Valdis.Kletnieks () vt edu wrote:
On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said:No cryptography can expose the difference between data that is correctly signed by the proper procedures and data that is correctly signed by a corrupt procedure.Amen... Well, it *would* help detect an intruder that's smart enough to subvert the signing of the zones on the DNS server, but unable to also subvert the copy stored on some FTP site. Rather esoteric threat model, fast approaching the "Did you remember to take your meds?" level.
presuposes the attack was server directed. the DNS-sniper will take out your locally configured root KSK &/or replace it w/ their own. no need to "carpet-bomb" all users of the vt.edu caches - right?
Plus, if you're worried about foobar.com's zone being maliciously signed, do you *really* want to follow a pointer to www.foobar.com to fetch another copy? :)
who intimated that the OOB channel would be http? since that is based on the DNS, i'd like to think it was suspect as well. :) --bill
Current thread:
- Re: .gov DNSSEC operational message, (continued)
- Re: .gov DNSSEC operational message Matt Larson (Dec 26)
- Re: .gov DNSSEC operational message Doug Barton (Dec 28)
- Re: .gov DNSSEC operational message - picking a fight bmanning (Dec 28)
- Re: .gov DNSSEC operational message - picking a fight Doug Barton (Dec 28)
- Re: .gov DNSSEC operational message - picking a fight Tony Finch (Dec 29)
- Re: .gov DNSSEC operational message - picking a fight bmanning (Dec 29)
- Re: .gov DNSSEC operational message Matt Larson (Dec 26)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Robert E. Seastrom (Dec 29)
- Re: .gov DNSSEC operational message Tony Finch (Dec 29)
- Re: .gov DNSSEC operational message Valdis . Kletnieks (Dec 29)
- Re: .gov DNSSEC operational message bmanning (Dec 29)
- Re: .gov DNSSEC operational message Tony Finch (Dec 30)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 30)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message jamie rishaw (Dec 27)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Kevin Oberman (Dec 28)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Kevin Oberman (Dec 28)
- Re: .gov DNSSEC operational message bmanning (Dec 28)