Joe Abley <jab...@hopcount.ca> wrote: > I'm trying to understand the time-based attack, but I'm not seeing it.
I think a plausible form of this attack involves DNSSEC validation at the edge. (1) DoS your victim, to force them into trouble-shooting mode. Hopefully they will reboot, at which point you can lie to them about the time, and they will probably believe you. (2) You have compromised a key that was valid at the point in time which your victim now believes is current. The signature chain from the root to your compromised key works. You have a sample of other records from the same time so you can maybe make other stuff seem to work. (3) Go wild signing attack records with your compromised key and sending them in responses to your victim. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Trafalgar: Westerly or southwesterly 4 or 5, occasionally 6 in north. Rough becoming moderate. Rain or showers, mainly in north. Good, occasionally poor in north. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
