[13732] in cryptography@c2.net mail archive
Re: Attacking networks using DHCP, DNS - probably kills DNSSEC
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Mon Jun 30 09:04:14 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Simon Josefsson <jas@extundo.com>
Cc: Bill Stewart <bill.stewart@pobox.com>, cypherpunks@lne.com,
cryptography@metzdowd.com
Date: Sun, 29 Jun 2003 21:46:49 -0400
From: "Steven M. Bellovin" <smb@research.att.com>
In message <iluof0gh7vy.fsf@latte.josefsson.org>, Simon Josefsson writes:
>
>Of course, everything fails if you ALSO get your DNSSEC root key from
>the DHCP server, but in this case you shouldn't expect to be secure.
>I wouldn't be surprised if some people suggest pushing the DNSSEC root
>key via DHCP though, because alas, getting the right key into the
>laptop in the first place is a difficult problem.
>
I can pretty much guarantee that the IETF will never standardize that,
except possibly in conjunction with authenticated dhcp.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
