[78982] in North American Network Operators' Group
Re: DNS cache poisoning attacks -- are they real?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Sun Mar 27 17:19:59 2005
From: Florian Weimer <fw@deneb.enyo.de>
To: nanog@merit.edu
Date: Mon, 28 Mar 2005 00:16:44 +0200
In-Reply-To: <Pine.GSO.4.58.0503261947490.25244@clifden.donelan.com> (Sean
Donelan's message of "Sat, 26 Mar 2005 20:15:40 -0500 (EST)")
Errors-To: owner-nanog@merit.edu
* Sean Donelan:
> Signatures don't create trust. A signature can only confirm an existing
> trust relationship. DNSSEC would have the same problem, where do you get
> the trustworthing signatures? By connecting to the same root you don't
> trust?
>
> As a practical matter, you can stop 99% of the problems with a lot less
> effort. Why has SSH been so successful, and DNSSEC stumbled so badly?
Because SSH "signatures" do create trust. SSH uses the key continuity
model, not the PKI model.