[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: secure entry point

To: Jakob Schlyter <jakob@crt.se>
Subject: Re: secure entry point
From: Miek Gieben <miekg@atoom.net>
Date: Tue, 1 Apr 2003 12:23:13 +0200
Cc: Edward Lewis <edlewis@arin.net>, namedroppers <namedroppers@ops.ietf.org>
In-reply-to: <Pine.OSX.4.52.0304011212400.2968@forastero.dynamic.schlyter.pp.se>
Mail-followup-to: Jakob Schlyter <jakob@crt.se>,Edward Lewis <edlewis@arin.net>,namedroppers <namedroppers@ops.ietf.org>
References: <20030331133521.GA3042@atoom.net> <a05111b06baae6d8f3dc9@[192.149.252.108]> <20030401073256.GA2029@atoom.net> <Pine.OSX.4.52.0304011136450.2968@forastero.dynamic.schlyter.pp.se> <20030401094733.GA11594@atoom.net> <Pine.OSX.4.52.0304011152110.2968@forastero.dynamic.schlyter.pp.se> <20030401100944.GA11835@atoom.net> <Pine.OSX.4.52.0304011212400.2968@forastero.dynamic.schlyter.pp.se>
User-agent: Vim/Mutt/Linux

[On 01 Apr, @12:14, Jakob wrote in "Re: secure entry point ..."]
> On Tue, 1 Apr 2003, Miek Gieben wrote:
> 
> > Spoof the nameserver ip, and the resolver gets bad data, there is no
> > way the resolver can guard against such an attack.
> 
> the resolver can always detect if it had received bad data.

yes.. so if I spoof the secure entry IP for .nl, the whole of .nl is bad

> > And if you change nameservers you will probably also change the key, so
> > the resolver already has to update something.
> 
> why would you ever change the key if you change nameserver? distributing
> the signed zone and signing it is very different.

I'm in the process of writing down how DNS operations will look like when
DNSSEC is deployed. Maybe we should take this up on the cafax list.

grtz Miek

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: secure entry point
  - From: "Olaf M. Kolkman" <olaf@ripe.net>

References:
- secure entry point
  - From: Miek Gieben <miekg@atoom.net>
- Re: secure entry point
  - From: Edward Lewis <edlewis@arin.net>
- Re: secure entry point
  - From: Miek Gieben <miekg@atoom.net>
- Re: secure entry point
  - From: Jakob Schlyter <jakob@crt.se>
- Re: secure entry point
  - From: Miek Gieben <miekg@atoom.net>
- Re: secure entry point
  - From: Jakob Schlyter <jakob@crt.se>
- Re: secure entry point
  - From: Miek Gieben <miekg@atoom.net>
- Re: secure entry point
  - From: Jakob Schlyter <jakob@crt.se>

Prev by Date: Re: secure entry point
Next by Date: list policy
Previous by thread: Re: secure entry point
Next by thread: Re: secure entry point
Index(es):
- Date
- Thread