[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Q2: crypto algorithm requirements for DNSSEC

To: David Blacka <davidb@verisignlabs.com>
Subject: Re: Q2: crypto algorithm requirements for DNSSEC
From: Greg Hudson <ghudson@MIT.EDU>
Date: 12 Feb 2003 01:41:29 -0500
Cc: namedroppers@ops.ietf.org
In-reply-to: <200302120035.23161.davidb@verisignlabs.com>
References: <200302120428.h1C4Sjd6009438@drugs.dv.isc.org><sjmhebadsbf.fsf@kikki.mit.edu> <200302120035.23161.davidb@verisignlabs.com>

On Wed, 2003-02-12 at 00:35, David Blacka wrote:
> But from the zone owner's perspective, his zone will be vulnerable until 
> either he re-signs the zone or all resolvers are reconfigured to not use the 
> bad algorithm.

I don't see how re-signing the zone helps.  If I can forge, say, RSA
signatures, then I can forge a signature chain all the way from the
client's pre-configured RSA public key to the domain I'm trying to
attack, whether or not the real zone data has been re-signed with a DSA
key.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- Re: Q2: crypto algorithm requirements for DNSSEC
  - From: Mark.Andrews@isc.org
- Re: Q2: crypto algorithm requirements for DNSSEC
  - From: Derek Atkins <derek@ihtfp.com>
- Re: Q2: crypto algorithm requirements for DNSSEC
  - From: David Blacka <davidb@verisignlabs.com>

Prev by Date: Re: Q2: crypto algorithm requirements for DNSSEC
Next by Date: Re: Q2: crypto algorithm requirements for DNSSEC
Previous by thread: Re: Q2: crypto algorithm requirements for DNSSEC
Next by thread: RE: Q2: crypto algorithm requirements for DNSSEC
Index(es):
- Date
- Thread