-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Masataka Ohta
Subject: Re: [DNSOP] A different question
There are intelligent intermediate entities of root, TLD and
other servers between you and authoritative nameservers of your
peer.
This is on
On Tue, 19 Aug 2008, Ted Lemon wrote:
On Aug 19, 2008, at 8:15 PM, Dean Anderson wrote:
A verifying
DNSSEC cache can be poised with bad glue records using the poisoning
attack, with only a slight change to the Kaminsky software.
Do you mean that it can be convinced that an answer is
Antoin Verschuren wrote:
There are intelligent intermediate entities of root, TLD and
other servers between you and authoritative nameservers of your
peer.
This is on data distribution path level, not infrastructure, nor data.
FYI, I of PKI is Infrastructure.
And here are the attacks on
Brian,
On Aug 21, 2008, at 8:45 AM, Brian Dickson wrote:
How stable is the content of the root zone?
(Really, really stable, I'd guess.)
On average, there are about 20-30 changes to the root zone per month
(not including SOA serial number increments) with the trend
increasing. August has
On Thu, 21 Aug 2008, Masataka Ohta wrote:
Instead, MitM attack on DNSSEC is performed, for example, within
intermediate zones with forged signature on child zone with forged
end-users data.
Oh I see. DNSSEC is broken because we cannot trust RSA, DSA, SHA256,
DiffieHellman, and perhaps eliptic
On Thu, Aug 21, 2008 at 09:47:38AM -0700, David Conrad wrote:
...
If the root zone were to strobe between signed and unsigned, what
minimum duration of signed, and what
maximum duration of unsigned would be likely to not cause
operational problems for the aforementioned
DNSSEC-configured
Paul Wouters wrote:
Instead, MitM attack on DNSSEC is performed, for example, within
intermediate zones with forged signature on child zone with forged
end-users data.
Oh I see. DNSSEC is broken because we cannot trust RSA, DSA, SHA256,
DiffieHellman, and perhaps eliptic curve
That is
On Thu, 21 Aug 2008, David Conrad wrote:
Now, I've always thought a separate root infrastructure that you had
to opt in to would be a good way to go, but this quickly gets bogged
down in extremely annoying (at least to me) layer 9 politics and I'll
let someone else try to push that
I've been doing a lot of IPv6-related hacking recently, and of course
participating in this discussion about DNSSEC as a solution to MitM
attacks, and it occured to ask whether ip6.arpa is signed. It looks
like it's sort of half-signed - if I query the right authoritative
server, I do
*plonk*
On Aug 21, 2008, at 3:50 PM, Masataka Ohta wrote:
Paul Wouters wrote:
Instead, MitM attack on DNSSEC is performed, for example, within
intermediate zones with forged signature on child zone with forged
end-users data.
Oh I see. DNSSEC is broken because we cannot trust RSA, DSA,
On Thu, 21 Aug 2008, David Conrad wrote:
Now, I've always thought a separate root infrastructure that you had
to opt in to would be a good way to go, but this quickly gets bogged
down in extremely annoying (at least to me) layer 9 politics and I'll
let someone else try to push that
11 matches
Mail list logo