Brian, Yeah I'm referring most of the articles about DNSSEC in IEEE. If you say the crypto is vulnerable and can be attack by the hackers, I think you are wrong. The main idea of DNSSEC is to provide integrity by using public key crypto and one way hashing (from root to bottom). If you do not know how to manage your keys (KSK & ZSK) you might face a problem when you rollover your keys. In RFC5011 tells you more about how to manage your key and if you follow the guide line will be in the save side. Since DNS is very important in the IP network and you as zone administrator you must make sure the availability of the DNS. Other important consideration, when you are implementing DNSSEC are key size, key roll over, HSM (key storage, you can use softHSM), Resigning interval, algorithm (RSASHA256) and NSEC. In the discussion about vulnerabilities when implementing DNSSEC is more on the drawback of it e.g. increase in the file size, ENDS0, algorithm, place to store the keys, the policies involve, the end user application and others. We might have some classes about DNSSEC.
rgds Amir On Sat, Apr 10, 2010 at 8:52 PM, BRIAN RITCHIE <[email protected]>wrote: > Amir, > > Thanks for the comments. Haven't read the doc yet but yeah any system > with poor implementation = flawed by default. Curious what this document has > to say > > -BRIAN RITCHIE > > > On Sat, Apr 10, 2010 at 8:49 PM, Amir Haris Ahmad <[email protected]>wrote: > >> Yes, with improper/poor implementation your might face the problems. >> DNSSEC uses public key cryptography and you need to maintain it. >> Administrating DNS is a fun stuff when you are enabling DNSSEC in your >> production (you need to know more). Come on, you know should read these RFCs >> 4033, 4034, 4035 and 5011. If anyone got doubt about DNSSEC, we can discuss >> about it. Root server will enable DNSSEC in production by July this year and >> for .my in Q4 this year. UDPPoke, Poke, Poker, TCPPoke... great. >> >> >> rgds >> Amir Haris >> >> On Sat, Apr 10, 2010 at 8:03 PM, BRIAN RITCHIE < >> [email protected]> wrote: >> >>> Thanks for this. Will check it out. >>> >>> On Sat, Apr 10, 2010 at 3:00 PM, Muhammad Najmi Ahmad Zabidi < >>> [email protected]> wrote: >>> >>>> http://cr.yp.to/talks/2009.08.10/slides.pdf >>>> >>>> DJB, the author of Qmail >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "MySecurity" group. >>>> To post to this group, send email to [email protected]. >>>> To unsubscribe from this group, send email to >>>> [email protected]<mysecurity%[email protected]> >>>> . >>>> For more options, visit this group at >>>> http://groups.google.com/group/mysecurity?hl=en. >>>> >>>> >>> >>> _______________________________________________ >>> Owasp-Malaysia mailing list >>> [email protected] >>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >>> >>> OWASP Malaysia Wiki >>> http://www.owasp.org/index.php/Malaysia >>> >>> OWASP Malaysia Wiki Facebook >>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >>> >> >> > -- > You received this message because you are subscribed to the Google Groups > "MySecurity" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<mysecurity%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/mysecurity?hl=en. >
_______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
