[88009] in North American Network Operators' Group
Re: AW: Odd policy question.
daemon@ATHENA.MIT.EDU (David W. Hankins)
Tue Jan 17 12:30:01 2006
Date: Tue, 17 Jan 2006 09:29:29 -0800
From: "David W. Hankins" <David_Hankins@isc.org>
To: nanog@merit.edu
In-Reply-To: <43C97BB0.4090604@mit.edu>
Errors-To: owner-nanog@merit.edu
--zhXaljGHf11kAtnf
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Jan 14, 2006 at 05:31:12PM -0500, Jeffrey I. Schiller wrote:
> If registrars regularly checked for lame delegations (or checked on
> demand). Then a way to attack a domain would be to forge DNS responses
> to cause the registrar to remove the domain because it is lame. So
> DNSSEC would be needed to be sure...
Something more than merely DNS-SEC.
DNS-SEC is about proving zone contents ("object security"). To prove
lame delegation you'd need a means to identify the nameserver ("channel
security") that's supplying the response.
The difference between "this zone contains (or doesn't) an RR" versus
"this DNS packet is from the server named George."
You could prove inconsistent delegation - that the parent and child
differ. But this is not necessarily lame.
--=20
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins
--zhXaljGHf11kAtnf
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDzSl5cXeLeWu2vmoRAnQKAJ9sTl2XRtXrbtWhG8iSa0XvQSxwvwCguAku
zwZB+opXM+nHqO3VQf7lQCU=
=LJyY
-----END PGP SIGNATURE-----
--zhXaljGHf11kAtnf--
