Exploit for DNS Cache Poisoning - RELEASED

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Jul 24 20:05:00 CDT 2008


On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:
> On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:
>> The problem is, once the ICANNt root is self-signed, the hope of ever
>> revoking that dysfunctional mess as authority is gone.

> As far as I'm aware, as long as the KSK isn't compromised, changing  
> the organization who holds the KSK simply means waiting until the next  
> KSK rollover and have somebody else do the signing.

That's true if the ICANN KSK is signed *by some other entity* - that entity
can then force a change by signing some *other* KSK for the next rollover.

If the ICANN key is self-signed as Tomas hypothesizes, then that leverage
evaporates.
If  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080724/7f38be2c/attachment.bin>


More information about the NANOG mailing list