.gov DNSSEC operational message

• Previous message (by thread): .gov DNSSEC operational message
• Next message (by thread): .gov DNSSEC operational message
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said:
> No cryptography can expose the difference between data that is correctly
> signed by the proper procedures and data that is correctly signed by a corrupt
> procedure.

Amen...

Well, it *would* help detect an intruder that's smart enough to  subvert the
signing of the zones on the DNS server, but unable to also subvert the copy
stored on some FTP site. Rather esoteric threat model, fast approaching
the "Did you remember to take your meds?" level.

Plus, if you're worried about foobar.com's zone being maliciously signed, do
you *really* want to follow a pointer to www.foobar.com to fetch another copy? :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20101229/825c4f73/attachment.sig>

• Previous message (by thread): .gov DNSSEC operational message
• Next message (by thread): .gov DNSSEC operational message
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]