DNS cache poisoning attacks -- are they real?

• Previous message (by thread): DNS cache poisoning attacks -- are they real?
• Next message (by thread): DNS cache poisoning attacks -- are they real?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Sean Donelan:

> Signatures don't create trust.  A signature can only confirm an existing
> trust relationship.  DNSSEC would have the same problem, where do you get
> the trustworthing signatures?  By connecting to the same root you don't
> trust?
>
> As a practical matter, you can stop 99% of the problems with a lot less
> effort.  Why has SSH been so successful, and DNSSEC stumbled so badly?

Because SSH "signatures" do create trust.  SSH uses the key continuity
model, not the PKI model.

• Previous message (by thread): DNS cache poisoning attacks -- are they real?
• Next message (by thread): DNS cache poisoning attacks -- are they real?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]