[106259] in North American Network Operators' Group
Re: Exploit for DNS Cache Poisoning - RELEASED
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Jul 24 21:05:17 2008
To: David Conrad <drc@virtualized.org>
In-Reply-To: Your message of "Thu, 24 Jul 2008 17:43:10 PDT."
<94C2CA9D-99BC-4ABA-8DA3-F8A348F073F2@virtualized.org>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 24 Jul 2008 21:05:00 -0400
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1216947900_3017P
Content-Type: text/plain; charset=us-ascii
On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:
> On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:
>> The problem is, once the ICANNt root is self-signed, the hope of ever
>> revoking that dysfunctional mess as authority is gone.
> As far as I'm aware, as long as the KSK isn't compromised, changing
> the organization who holds the KSK simply means waiting until the next
> KSK rollover and have somebody else do the signing.
That's true if the ICANN KSK is signed *by some other entity* - that entity
can then force a change by signing some *other* KSK for the next rollover.
If the ICANN key is self-signed as Tomas hypothesizes, then that leverage
evaporates.
If
--==_Exmh_1216947900_3017P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFIiSa8cC3lWbTT17ARAqzqAJ9ppU4XG6lpR1g/bLr2Ql4asZOTVwCeLbjt
IcFyn5m3lW/xCGJeiwntUGo=
=/VEI
-----END PGP SIGNATURE-----
--==_Exmh_1216947900_3017P--
