[62207] in North American Network Operators' Group
Re: Verisign brain damage and DNSSec.....Was:Re: What *are*
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Sep 16 17:51:27 2003
Date: Tue, 16 Sep 2003 14:00:45 -0400
From: Valdis.Kletnieks@vt.edu
To: bmanning@karoshi.com
Cc: bownes@web9.com, gmaxwell@martin.fl.us, haesu@towardex.com,
marius@marius.org, nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format.
------_=_NextPart_001_01C37C99.BBDA6B00
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: 7bit
On Tue, 16 Sep 2003 09:59:40 PDT, bmanning@karoshi.com said:
> DNSsec will work properly with wildcards, regardless of where they are
> in the DNS.
Which means that a rogue DNS can lead you down the garden path and
DNSsec won't give you a clue that you're being lied to. It's the same
question as the "what happens to SSL to a phantom site?" - Verisign can
provide an A record for the server and an SSL cert that will work.
------_=_NextPart_001_01C37C99.BBDA6B00
Content-Type: text/html;
charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
<HTML>
<HEAD>
<META http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3DUTF-16">
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3DUTF-16">
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.0.6396.0">
<TITLE>Re: Verisign brain damage and DNSSec.....Was:Re: What *are* they =
smoking?</TITLE>
</HEAD><BODY ><DIV>
<!-- Converted from text/plain format -->
<P><FONT SIZE=3D2>On Tue, 16 Sep 2003 09:59:40 PDT, bmanning@karoshi.com =
said:</FONT>
<BR><FONT SIZE=3D2>> DNSsec will work properly with wildcards, =
regardless of where they are</FONT>
<BR><FONT SIZE=3D2>> in the DNS.</FONT>
</P>
<P><FONT SIZE=3D2>Which means that a rogue DNS can lead you down the =
garden path and</FONT>
<BR><FONT SIZE=3D2>DNSsec won't give you a clue that you're being lied =
to. It's the same</FONT>
<BR><FONT SIZE=3D2>question as the "what happens to SSL to a =
phantom site?" - Verisign can</FONT>
<BR><FONT SIZE=3D2>provide an A record for the server and an SSL cert =
that will work.</FONT>
</P>
</DIV>
<P> </P></BODY></HTML>
------_=_NextPart_001_01C37C99.BBDA6B00--
