[62164] in North American Network Operators' Group
Re: Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Sep 16 14:06:29 2003
To: bmanning@karoshi.com
Cc: bownes@web9.com (Keptin Komrade Dr. BobWrench III esq.),
gmaxwell@martin.fl.us (Greg Maxwell), haesu@towardex.com (Haesu),
marius@marius.org (Marius Strom), nanog@merit.edu
In-Reply-To: Your message of "Tue, 16 Sep 2003 09:59:40 PDT."
<200309161659.h8GGxeI22438@karoshi.com>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 16 Sep 2003 14:00:45 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-799438835P
Content-Type: text/plain; charset=us-ascii
On Tue, 16 Sep 2003 09:59:40 PDT, bmanning@karoshi.com said:
> DNSsec will work properly with wildcards, regardless of where they are
> in the DNS.
Which means that a rogue DNS can lead you down the garden path and
DNSsec won't give you a clue that you're being lied to. It's the same
question as the "what happens to SSL to a phantom site?" - Verisign can
provide an A record for the server and an SSL cert that will work.
--==_Exmh_-799438835P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE/Z0/NcC3lWbTT17ARAh9CAJ9XCGyIRCythsxoZu8khkSqIUv2zQCeItla
/agbiTv6S5Dznz9ci5vnLZw=
=54Wt
-----END PGP SIGNATURE-----
--==_Exmh_-799438835P--
