.gov DNSSEC operational message

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Wed Dec 29 16:56:52 UTC 2010


On Wed, Dec 29, 2010 at 11:15:02AM -0500, Valdis.Kletnieks at vt.edu wrote:
> On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said:
> > No cryptography can expose the difference between data that is correctly
> > signed by the proper procedures and data that is correctly signed by a corrupt
> > procedure.
> 
> Amen...
> 
> Well, it *would* help detect an intruder that's smart enough to  subvert the
> signing of the zones on the DNS server, but unable to also subvert the copy
> stored on some FTP site. Rather esoteric threat model, fast approaching
> the "Did you remember to take your meds?" level.

	presuposes the attack was server directed.  the DNS-sniper will take
	out your locally configured root KSK &/or replace it w/ their own.
	no need to "carpet-bomb" all users of the vt.edu caches - right?

> Plus, if you're worried about foobar.com's zone being maliciously signed, do
> you *really* want to follow a pointer to www.foobar.com to fetch another copy? :)

	who intimated that the OOB channel would be http?  since that is based
	on the DNS, i'd like to think it was suspect as well. :)

--bill





More information about the NANOG mailing list