On Oct 28, 2013, at 12:07 AM, Masataka Ohta mo...@necom830.hpcl.titech.ac.jp
wrote:
Then, plain DNS modified to have 32 (or 64?) bit messages
ID is as secure as DNSSEC.
How does a 32 or 64 bit message ID protect you from on-path MITM/injection
attacks?
Protecting the communication channel
How could a local time problem lead to using an expired (zone) key for
arbitrary data of the zone ?
~ DNSKEY info itself does not expire - only signatures have expiration date
~ admitting a local time problem can allow for replay attacks
in the sense of : making a validating resolver believe
On Mon, Oct 28, 2013 at 04:57:46PM +0100, Marc Lampo wrote:
How could a local time problem lead to using an expired (zone) key for
arbitrary data of the zone ?
There is a genuine theoretical concern here, but IMHO it's unrealistic.
Imagine some shadowy omnipotent organization has tapped your