[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DNSSEC - Signature Only vs the MX/A issue.

To: Robert Story <rstory@sparta.com>
Subject: Re: DNSSEC - Signature Only vs the MX/A issue.
From: bert hubert <bert.hubert@netherlabs.nl>
Date: Mon, 4 Dec 2006 21:30:59 +0100
Cc: Mike StJohns <Mike.StJohns@nominum.com>, namedroppers@ops.ietf.org
Delivery-date: Mon, 04 Dec 2006 20:33:02 +0000
Envelope-to: namedroppers-data@psg.com
User-agent: Mutt/1.5.9i

On Mon, Dec 04, 2006 at 02:43:05PM -0500, Robert Story wrote:

> So, my observation was simply that I can't imagine people signing up
> for OSIGs when a deletion attack is so simple...

Without intercepting traffic from either the client or the authoritative
nameserver, a deletion attack is only easy if the source port and DNS id of
queries are predictable.

People with the ability to intercept and inject packets are rare compared to
those able to spoof data from non-BCP 38 compliant networks - who I
currently consider the gravest danger to the DNS.

	Bert

-- 
http://www.PowerDNS.com      Open source, database driven DNS Software 
http://netherlabs.nl              Open and Closed source services

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: Re: DNSSEC - Signature Only vs the MX/A issue.
Next by Date: Re: DNSSEC - Signature Only vs the MX/A issue.
Previous by thread: Re: DNSSEC - Signature Only vs the MX/A issue.
Next by thread: Re: DNSSEC - Signature Only vs the MX/A issue.
Index(es):
- Date
- Thread