North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: DNS cache poisoning attacks -- are they real?
- From: Florian Weimer
- Date: Sun Mar 27 17:20:51 2005
* Sean Donelan:
> Signatures don't create trust. A signature can only confirm an existing
> trust relationship. DNSSEC would have the same problem, where do you get
> the trustworthing signatures? By connecting to the same root you don't
> As a practical matter, you can stop 99% of the problems with a lot less
> effort. Why has SSH been so successful, and DNSSEC stumbled so badly?
Because SSH "signatures" do create trust. SSH uses the key continuity
model, not the PKI model.