.gov DNSSEC operational message
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Wed Dec 29 16:56:52 UTC 2010
On Wed, Dec 29, 2010 at 11:15:02AM -0500, Valdis.Kletnieks at vt.edu wrote:
> On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said:
> > No cryptography can expose the difference between data that is correctly
> > signed by the proper procedures and data that is correctly signed by a corrupt
> > procedure.
>
> Amen...
>
> Well, it *would* help detect an intruder that's smart enough to subvert the
> signing of the zones on the DNS server, but unable to also subvert the copy
> stored on some FTP site. Rather esoteric threat model, fast approaching
> the "Did you remember to take your meds?" level.
presuposes the attack was server directed. the DNS-sniper will take
out your locally configured root KSK &/or replace it w/ their own.
no need to "carpet-bomb" all users of the vt.edu caches - right?
> Plus, if you're worried about foobar.com's zone being maliciously signed, do
> you *really* want to follow a pointer to www.foobar.com to fetch another copy? :)
who intimated that the OOB channel would be http? since that is based
on the DNS, i'd like to think it was suspect as well. :)
--bill
More information about the NANOG
mailing list