Re: .gov DNSSEC operational message

About Merit

Services

Network

Resources & Support

Network Research

News

Events

Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Re: .gov DNSSEC operational message

From: Valdis.Kletnieks
Date: Wed Dec 29 11:15:47 2010

List-archive: <http://mailman.nanog.org/pipermail/nanog>
List-help: <mailto:nanog-request@nanog.org?subject=help>
List-id: North American Network Operators Group <nanog.nanog.org>
List-post: <mailto:nanog@nanog.org>
List-subscribe: <https://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=subscribe>
List-unsubscribe: <https://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=unsubscribe>

On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said:
> No cryptography can expose the difference between data that is correctly
> signed by the proper procedures and data that is correctly signed by a corrupt
> procedure.

Amen...

Well, it *would* help detect an intruder that's smart enough to  subvert the
signing of the zones on the DNS server, but unable to also subvert the copy
stored on some FTP site. Rather esoteric threat model, fast approaching
the "Did you remember to take your meds?" level.

Plus, if you're worried about foobar.com's zone being maliciously signed, do
you *really* want to follow a pointer to www.foobar.com to fetch another copy? :)

Attachment: pgp00132.pgp
Description: PGP signature

Follow-Ups:
- Re: .gov DNSSEC operational message bmanning

References:
- Re: .gov DNSSEC operational message Jay Ashworth
- Re: .gov DNSSEC operational message Tony Finch

Prev by Date: =?utf-8?B?UmU6IDUuNy81LjggR0h6IDgwMi4xMW4gZHVhbCBwb2xhcml0eSBNSU1PIHRocm91Z2ggb2ZmaWNlIGJ1aWxkaW5nCWdsYXNzLCAxLjUga20gZGlzdGFuY2U=?=
Next by Date: Re: Specific Network Querying
Date Index
Thread Index
Author Index
Historical