[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: secure entry point

To: Miek Gieben <miekg@atoom.net>
Subject: Re: secure entry point
From: "Olaf M. Kolkman" <olaf@ripe.net>
Date: Tue, 1 Apr 2003 13:30:20 +0200
Cc: Jakob Schlyter <jakob@crt.se>, Edward Lewis <edlewis@arin.net>, namedroppers <namedroppers@ops.ietf.org>
In-reply-to: <20030401102313.GA13787@atoom.net>
Organization: RIPE NCC
References: <20030331133521.GA3042@atoom.net><a05111b06baae6d8f3dc9@[192.149.252.108]><20030401073256.GA2029@atoom.net><Pine.OSX.4.52.0304011136450.2968@forastero.dynamic.schlyter.pp.se><20030401094733.GA11594@atoom.net><Pine.OSX.4.52.0304011152110.2968@forastero.dynamic.schlyter.pp.se><20030401100944.GA11835@atoom.net><Pine.OSX.4.52.0304011212400.2968@forastero.dynamic.schlyter.pp.se><20030401102313.GA13787@atoom.net>

> yes.. so if I spoof the secure entry IP for .nl, the whole of .nl is bad

Yes.. Bad luck I'd say.

DNSSEC does not provide for a way to check the delegation. If a
delegation points you to the wrong server your lost; that is to be
seen as a DOS attack.

If you want to be 'resistant' to drop of connectivity to the root than
have your recursive servers be slave of your local domains. That can
be done independend of your "trusted-keys".

DNSSEC does not give a bit about where data came from. Let's not add
that dependency in the resolv.conf you (provide buckshots to shoot ones
foot off :-) ) 


--Olaf

--------------------------------------------| Olaf M. Kolkman
                                            | www.ripe.net/disi


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

References:
- secure entry point
  - From: Miek Gieben <miekg@atoom.net>
- Re: secure entry point
  - From: Edward Lewis <edlewis@arin.net>
- Re: secure entry point
  - From: Miek Gieben <miekg@atoom.net>
- Re: secure entry point
  - From: Jakob Schlyter <jakob@crt.se>
- Re: secure entry point
  - From: Miek Gieben <miekg@atoom.net>
- Re: secure entry point
  - From: Jakob Schlyter <jakob@crt.se>
- Re: secure entry point
  - From: Miek Gieben <miekg@atoom.net>
- Re: secure entry point
  - From: Jakob Schlyter <jakob@crt.se>
- Re: secure entry point
  - From: Miek Gieben <miekg@atoom.net>

Prev by Date: list policy
Next by Date: Re: secure entry point
Previous by thread: Re: secure entry point
Next by thread: Re: secure entry point
Index(es):
- Date
- Thread