[116526] in North American Network Operators' Group
Re: dnscurve and DNS hardening, was Re: Dan Kaminsky
daemon@ATHENA.MIT.EDU (Alexander Harrowell)
Thu Aug 6 06:07:33 2009
From: Alexander Harrowell <a.harrowell@gmail.com>
To: nanog@nanog.org
Date: Thu, 6 Aug 2009 11:06:49 +0100
In-Reply-To: <82k51h75r6.fsf@mid.bfk.de>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--nextPart1296467.x0DpB2grXx
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
There are really two security problems here, which implies that two differe=
nt=20
methods might be necessary:
1) Authenticate the nameserver to the client (and so on up the chain to the=
=20
root) in order to defeat the Kaminsky attack, man in the middle, IP-layer=20
interference. (Are you who you say you are?)
2) Validate the information in the nameserver. (OK, so you're the nameserve=
r;=20
but who says www.google.com is 1.2.3.4?)
1) is the transport layer problem; 2) is the dnssec/zone signing problem.
--nextPart1296467.x0DpB2grXx
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQBKeqtB0c69vkueJcQRAntyAKCEJZMTGB2FxLnac7OPoXxJgl/pWQCghQ70
3G4JdwqLPHikyhYsK76AOew=
=26LA
-----END PGP SIGNATURE-----
--nextPart1296467.x0DpB2grXx--
