DNS cache poisoning attacks -- are they real?

Florian Weimer fw at deneb.enyo.de
Sun Mar 27 22:16:44 UTC 2005

* Sean Donelan:

> Signatures don't create trust.  A signature can only confirm an existing
> trust relationship.  DNSSEC would have the same problem, where do you get
> the trustworthing signatures?  By connecting to the same root you don't
> trust?
> As a practical matter, you can stop 99% of the problems with a lot less
> effort.  Why has SSH been so successful, and DNSSEC stumbled so badly?

Because SSH "signatures" do create trust.  SSH uses the key continuity
model, not the PKI model.

More information about the NANOG mailing list