[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
.gov DNSSEC operational message
- Subject: .gov DNSSEC operational message
- From: bmanning at vacation.karoshi.com (bmanning at vacation.karoshi.com)
- Date: Wed, 29 Dec 2010 16:56:52 +0000
- In-reply-to: <37561.1293639302@localhost>
- References: <[email protected]> <[email protected]> <37561.1293639302@localhost>
On Wed, Dec 29, 2010 at 11:15:02AM -0500, Valdis.Kletnieks at vt.edu wrote:
> On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said:
> > No cryptography can expose the difference between data that is correctly
> > signed by the proper procedures and data that is correctly signed by a corrupt
> > procedure.
>
> Amen...
>
> Well, it *would* help detect an intruder that's smart enough to subvert the
> signing of the zones on the DNS server, but unable to also subvert the copy
> stored on some FTP site. Rather esoteric threat model, fast approaching
> the "Did you remember to take your meds?" level.
presuposes the attack was server directed. the DNS-sniper will take
out your locally configured root KSK &/or replace it w/ their own.
no need to "carpet-bomb" all users of the vt.edu caches - right?
> Plus, if you're worried about foobar.com's zone being maliciously signed, do
> you *really* want to follow a pointer to www.foobar.com to fetch another copy? :)
who intimated that the OOB channel would be http? since that is based
on the DNS, i'd like to think it was suspect as well. :)
--bill