Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS cache poisoning attacks -- are they real?

  • From: Florian Weimer
  • Date: Sun Mar 27 17:20:51 2005

* Sean Donelan:

> Signatures don't create trust.  A signature can only confirm an existing
> trust relationship.  DNSSEC would have the same problem, where do you get
> the trustworthing signatures?  By connecting to the same root you don't
> trust?
>
> As a practical matter, you can stop 99% of the problems with a lot less
> effort.  Why has SSH been so successful, and DNSSEC stumbled so badly?

Because SSH "signatures" do create trust.  SSH uses the key continuity
model, not the PKI model.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.