This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[dns-wg] What about the last mile, was: getting DNSSEC deployed
- Previous message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
- Next message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
David Conrad
david.conrad at icann.org
Fri Feb 16 22:10:45 CET 2007
On Feb 16, 2007, at 12:50 PM, Doug Barton wrote: > David Conrad wrote: >>> NEW ATTACK TECHNIQUE THREATENS BROADBAND USERS >> ... >>> As noted, dnssec can protect against spoofed dns info. >> Except DNSSEC wouldn't really be applicable. > It would apply in the (theoretical) subset of applications that are > configured to rely on signed and validated responses, like hopefully > windows/osx/mozilla/other software updaters could be configured to do. The question is how do they get the information that the data has been signed and the signatures validated. Since with this attack they'd be going through a compromised server, they lose. The only way out of that hole is if you run a local validating caching server and have appropriate (out-of-band validated) trust anchors configured and if you're running a local caching server, you're already not susceptible to the attack. Rgds, -drc
- Previous message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
- Next message (by thread): [dns-wg] What about the last mile, was: getting DNSSEC deployed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]