[134221] in North American Network Operators' Group
Re: .gov DNSSEC operational message
daemon@ATHENA.MIT.EDU (bmanning@vacation.karoshi.com)
Wed Dec 29 11:58:02 2010
Date: Wed, 29 Dec 2010 16:56:52 +0000
From: bmanning@vacation.karoshi.com
To: Valdis.Kletnieks@vt.edu
In-Reply-To: <37561.1293639302@localhost>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Dec 29, 2010 at 11:15:02AM -0500, Valdis.Kletnieks@vt.edu wrote:
> On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said:
> > No cryptography can expose the difference between data that is correctly
> > signed by the proper procedures and data that is correctly signed by a corrupt
> > procedure.
>
> Amen...
>
> Well, it *would* help detect an intruder that's smart enough to subvert the
> signing of the zones on the DNS server, but unable to also subvert the copy
> stored on some FTP site. Rather esoteric threat model, fast approaching
> the "Did you remember to take your meds?" level.
presuposes the attack was server directed. the DNS-sniper will take
out your locally configured root KSK &/or replace it w/ their own.
no need to "carpet-bomb" all users of the vt.edu caches - right?
> Plus, if you're worried about foobar.com's zone being maliciously signed, do
> you *really* want to follow a pointer to www.foobar.com to fetch another copy? :)
who intimated that the OOB channel would be http? since that is based
on the DNS, i'd like to think it was suspect as well. :)
--bill
