[110468] in North American Network Operators' Group
Re: Security team successfully cracks SSL using 200 PS3's and MD5
daemon@ATHENA.MIT.EDU (Mark Andrews)
Tue Jan 6 01:11:07 2009
To: Colin Alston <karnaugh@karnaugh.za.net>
From: Mark Andrews <Mark_Andrews@isc.org>
In-reply-to: Your message of "Tue, 06 Jan 2009 06:39:50 +0200."
<4962E096.7070409@karnaugh.za.net>
Date: Tue, 06 Jan 2009 17:10:47 +1100
Cc: "nanog@nanog.org" <nanog@nanog.org>, Joe Greco <jgreco@ns.sol.net>
Errors-To: nanog-bounces@nanog.org
In message <4962E096.7070409@karnaugh.za.net>, Colin Alston writes:
> On 2009/01/05 10:47 PM Randy Bush wrote:
> > perhaps i am a bit slow. but could someone explain to me how trust in
> > dns data transfers to trust in an http partner and other uses to which
> > ssl is put?
>
> I must also be slow. Can someone tell me how DNSSEC is supposed to
> encrypt my TCP/IP traffic?
DNSSEC allows you to go from dns name -> CERT in a secure
manner. The application then checks that the cert used to
establish the ssl session is one from the CERT RRset.
Basically when you pay your $70 or whatever for the CERT
record you are asking the CA to assert that you have the
right to use the domain name. It's expensive because they
are not part of existing DNS trust relationship setup when
the domain was delegated in the first place.
The natural place to look for DNS trust is in the DNS.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
