[62167] in North American Network Operators' Group
Re: Verisign brain damage and DNSSec.....Was:Re: What *are* they smoking?
daemon@ATHENA.MIT.EDU (bmanning@karoshi.com)
Tue Sep 16 14:18:18 2003
From: bmanning@karoshi.com
To: Valdis.Kletnieks@vt.edu
Date: Tue, 16 Sep 2003 11:08:11 -0700 (PDT)
Cc: bmanning@karoshi.com,
bownes@web9.com (Keptin Komrade Dr. BobWrench III esq.),
gmaxwell@martin.fl.us (Greg Maxwell), haesu@towardex.com (Haesu),
marius@marius.org (Marius Strom), nanog@merit.edu
In-Reply-To: <200309161800.h8GI0jYe018663@turing-police.cc.vt.edu> from "Valdis.Kletnieks@vt.edu" at Sep 16, 2003 02:00:45 PM
Errors-To: owner-nanog-outgoing@merit.edu
> On Tue, 16 Sep 2003 09:59:40 PDT, bmanning@karoshi.com said:
> > DNSsec will work properly with wildcards, regardless of where they are
> > in the DNS.
>
> Which means that a rogue DNS can lead you down the garden path and
> DNSsec won't give you a clue that you're being lied to. It's the same
> question as the "what happens to SSL to a phantom site?" - Verisign can
> provide an A record for the server and an SSL cert that will work.
thats one aspect yes. the valdiation chain should tell
you who signed the delegations. It won't lie.
you will know that V'sign put that data there.
--bill
