On Mon, 4 Oct 2010, Joe Abley wrote: > > I have not heard a clear description of a problem yet
How can a system that missed a TA rollover bootstrap its DNSSEC validator? It might have missed a rollover because: * It is an old software distribution that has just been installed; * It is some old hardware that has just been deployed. * It is some old hardware that has suffered a factory reset. Here "old" means greater than two months - the root 5011 rollover period. When a validator is bootstrapping it needs to be able to tell the difference between an attack and a rolled TA. If it cannot get the new TA using the DNS, it must do so using some higher level protocol. Higher level protocols depend on the DNS. This implies that the system must provisionally switch off its validator in order to obtain a new TA. This implies that bootstrapping systems are vulnerable to downgrade attacks and therefore spoofing. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7, DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR ROUGH. RAIN THEN FAIR. GOOD. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
