[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSSEC - Signature Only vs the MX/A issue.

To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Subject: Re: DNSSEC - Signature Only vs the MX/A issue.
From: Mike StJohns <Mike.StJohns@nominum.com>
Date: Tue, 28 Nov 2006 15:13:50 -0500
Cc: namedroppers@ops.ietf.org
Delivery-date: Tue, 28 Nov 2006 21:09:54 +0000
Envelope-to: namedroppers-data@psg.com

Not exactly. See my previous note to Mark. SO still protects theatomicity of an RRSet - you can delete ALL of the SRV records or noneof them. If you delete all of them at a label, the lookup fails andyou can't proceed. If you do retrieve the SRV records and thenlookup the referenced A records, the worse that can happen is thatone or more of the individual A records is deleted and an attackercan steer you to one specific system (from the list of validated names).



At 08:58 AM 11/28/2006, Stephane Bortzmeyer wrote:

On Sun, Nov 26, 2006 at 10:26:55PM -0500,
 Mike StJohns <Mike.StJohns@nominum.com> wrote
 a message of 51 lines which said:

> I chatted briefly with John Klensin about deprecating this MX/A
> alternate in the next revision to RFC2821 - comments on whether this
> is a reasonable approach?

Unfortunately, there are other records that are vulnerable to this
attack (SRV, NAPTR), not just MX.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: Re: DNSSEC - Signature Only vs the MX/A issue.
Next by Date: Re: DNSSEC - Application use of Provable non-existence
Previous by thread: Re: DNSSEC - Signature Only vs the MX/A issue.
Next by thread: Re: DNSSEC - Signature Only vs the MX/A issue.
Index(es):
- Date
- Thread