[78982] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: DNS cache poisoning attacks -- are they real?

daemon@ATHENA.MIT.EDU (Florian Weimer)
Sun Mar 27 17:19:59 2005

From: Florian Weimer <fw@deneb.enyo.de>
To: nanog@merit.edu
Date: Mon, 28 Mar 2005 00:16:44 +0200
In-Reply-To: <Pine.GSO.4.58.0503261947490.25244@clifden.donelan.com> (Sean
	Donelan's message of "Sat, 26 Mar 2005 20:15:40 -0500 (EST)")
Errors-To: owner-nanog@merit.edu


* Sean Donelan:

> Signatures don't create trust.  A signature can only confirm an existing
> trust relationship.  DNSSEC would have the same problem, where do you get
> the trustworthing signatures?  By connecting to the same root you don't
> trust?
>
> As a practical matter, you can stop 99% of the problems with a lot less
> effort.  Why has SSH been so successful, and DNSSEC stumbled so badly?

Because SSH "signatures" do create trust.  SSH uses the key continuity
model, not the PKI model.

home help back first fref pref prev next nref lref last post