Ted Lemon wrote:
> This isn't _quite_ true. DNSSEC supports trust anchors at
> any point in the hierarchy, and indeed I think the right
> model for DNSSEC is that you would install trust anchors
> for things you really care about, and manage them in the
> same way that you manage your root trus
robert bownes wrote:
> A 1pulse per second aligned to GPS is good to a few ns. Fairly
> straightforward to plug into even a OpenWrt type of router. Turn on
the pps
> in NTP on the router and you are good to go.
Faking GPS signal is trivially easy.
Iraq successfully captured US unmanned plain, app
On Sep 12, 2013, at 1:49 PM, "Dickson, Brian" wrote:
> In order to subvert or redirect a delegation, the TLD operator (or
> registrar) would need to change the DNS server name/IP, and replace the DS
> record(s).
Someone who possesses the root key could in principle create a fake DNS
hierarchy wi
On Sep 12, 2013, at 3:16 PM, "Dickson, Brian" wrote:
> Excluding the direct methods of acquisition, let us consider the level of
> effort involved in recreating the root key, by brute force.
I think we can assume that they would use some fairly subtle attack to get the
key, and would not brute f
On Thu, Sep 12, 2013 at 2:07 PM, Ted Lemon wrote:
> On Sep 12, 2013, at 1:49 PM, "Dickson, Brian"
> wrote:
> > In order to subvert or redirect a delegation, the TLD operator (or
> > registrar) would need to change the DNS server name/IP, and replace the
> DS
> > record(s).
>
> Someone who posses
On 9/12/13 2:07 PM, "Ted Lemon" wrote:
>On Sep 12, 2013, at 1:49 PM, "Dickson, Brian"
>wrote:
>> In order to subvert or redirect a delegation, the TLD operator (or
>> registrar) would need to change the DNS server name/IP, and replace the
>>DS
>> record(s).
>
>Someone who possesses the root key
On Sep 12, 2013, at 11:07 AM, Theodore Ts'o wrote:
> Finally, if you think the target can try to find random caching
> nameservers all across the networ to use, (a) there are certain
> environments where this is not allowed --- some ISP's or hotel/coffee
> shop/airline's networks require that you
On 9/12/13 7:24 AM, "Theodore Ts'o" wrote:
>On Wed, Sep 11, 2013 at 03:38:21PM -0400, Phillip Hallam-Baker wrote:
>> > I disagree. DNSSEC is not just DNS: its the only available,
>>deployed, and
>> > (mostly) accessible global PKI currently in existence which also
>>includes a
>> > constrained p
On Thu, Sep 12, 2013 at 1:21 PM, Theodore Ts'o wrote:
> On Thu, Sep 12, 2013 at 04:46:01PM +, Ted Lemon wrote:
> >
> > The model for this sort of validation is really not on a per-client
> > basis, but rather depends on routine cross-validation by various
> > DNSSEC operators throughout the n
Chiming in a bit late here, however, the availability of stratum 1 clocks
and stratum 2 class time data on non IP and/or non interconnected networks
is now so large, I question why one would run NTP outside of the building
in many cases, certainly in an enterprise of any size.
A 1pulse per second
On Sep 12, 2013, at 2:35 PM, Phillip Hallam-Baker wrote:
> It would work just fine if the attacker did not mind if the surveillance was
> detected or actually wanted people to know they were being watched to
> intimidate them.
Yup,neither PKI nor DNSSEC address that threat model. For that you
On Sep 12, 2013, at 1:21 PM, Theodore Ts'o wrote:
> Still, I agree with the general precept that perfect should not enemy
> of the better, and DNSSEC certainly adds value. I just get worried
> about people who seem to think that DNSSEC is a panacea.
Me too. It most certainly is not.
_
On Thu, Sep 12, 2013 at 04:46:01PM +, Ted Lemon wrote:
>
> The model for this sort of validation is really not on a per-client
> basis, but rather depends on routine cross-validation by various
> DNSSEC operators throughout the network. This will not necessarily
> catch a really focused attac
On Wed, Sep 11, 2013 at 03:38:21PM -0400, Phillip Hallam-Baker wrote:
> > I disagree. DNSSEC is not just DNS: its the only available, deployed, and
> > (mostly) accessible global PKI currently in existence which also includes a
> > constrained path of trust which follows already established busine
On Sep 12, 2013, at 7:24 AM, Theodore Ts'o wrote:
> It is still a hierarchical model of trust. So at the top, if you
> don't trust Verisign for the .COM domain and PIR for the .ORG domain
> (and for people who are worried about the NSA, both of these are US
> corporations), the whole system fal
On Thu, 12 Sep 2013, Theodore Ts'o wrote:
Any co-ercing that happens has to be globally visible, if the target
ensures he is using "random" nameservers to query for data.
Not necessarily. First of all, an active attacker located close to
the target can simply replace the DNS replies with bogu
On Sep 12, 2013, at 7:24 AM, Theodore Ts'o wrote:
> It is still a hierarchical model of trust. So at the top, if you
> don't trust Verisign for the .COM domain and PIR for the .ORG domain
> (and for people who are worried about the NSA, both of these are US
> corporations), the whole system falls
On Thu, Sep 12, 2013 at 10:22:10AM -0400, Paul Wouters wrote:
>
> Any co-ercing that happens has to be globally visible, if the target
> ensures he is using "random" nameservers to query for data.
Not necessarily. First of all, an active attacker located close to
the target can simply replace th
On Thu, 12 Sep 2013, Theodore Ts'o wrote:
More importantly, what problem do people think DNSSEC is going to
solve?
It is still a hierarchical model of trust. So at the top, if you
don't trust Verisign for the .COM domain and PIR for the .ORG domain
(and for people who are worried about the NSA
Theodore Ts'o wrote:
>
> Their dynamic with their users and the market is the same as with CA's
> --- the market virtually guarantees a race to the bottom in terms of
> quality and prices. So beyond replacing names like "Comodo" with "Go
> Daddy", what benefit do you actually think would accrue?
Phillip Hallam-Baker wrote:
>
> 2. The current time is a matter of convention rather than a natural
> property. It is therefore impossible to determine the time without
> reference to at least one trusted party.
Preferably more than one so you can use quorum agreement and minimize the
amount of t
21 matches
Mail list logo
