[134217] in North American Network Operators' Group
Re: .gov DNSSEC operational message
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Dec 29 11:16:32 2010
To: Tony Finch <dot@dotat.at>
In-Reply-To: Your message of "Wed, 29 Dec 2010 15:01:41 GMT."
<E2B529AC-E159-4B1B-A60F-D8FEF609187B@dotat.at>
From: Valdis.Kletnieks@vt.edu
Date: Wed, 29 Dec 2010 11:15:02 -0500
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1293639301_4770P
Content-Type: text/plain; charset=us-ascii
On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said:
> No cryptography can expose the difference between data that is correctly
> signed by the proper procedures and data that is correctly signed by a corrupt
> procedure.
Amen...
Well, it *would* help detect an intruder that's smart enough to subvert the
signing of the zones on the DNS server, but unable to also subvert the copy
stored on some FTP site. Rather esoteric threat model, fast approaching
the "Did you remember to take your meds?" level.
Plus, if you're worried about foobar.com's zone being maliciously signed, do
you *really* want to follow a pointer to www.foobar.com to fetch another copy? :)
--==_Exmh_1293639301_4770P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFNG16FcC3lWbTT17ARAqVcAKDylCpeXARCVuNYr538RWFGxVuOOgCeIieI
nikxtgqh2HgC587ZzAqjN38=
=sE3A
-----END PGP SIGNATURE-----
--==_Exmh_1293639301_4770P--
