On Aug 21, 2008, at 8:41 PM, Mark Andrews wrote:
David do you have a nameserver we can bounce queries off
which has the root zone signed as it would be in production?
ns.iana.org doesn't count as the NS RRset is modified.
I'll see about getting that fixed.
Regards,
-dr
>
> David do you have a nameserver we can bounce queries off
> which has the root zone signed as it would be in production?
>
> ns.iana.org doesn't count as the NS RRset is modified.
>
> Mark
root and root-servers.net to produce worst case senarios.
--
Mark An
David do you have a nameserver we can bounce queries off
which has the root zone signed as it would be in production?
ns.iana.org doesn't count as the NS RRset is modified.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9
> Mark,
>
> On Aug 21, 2008, at 5:25 PM, Mark Andrews wrote:
> > I'm not hoping for the best. I'm confident that there won't
> > be major issues.
> ...
> > Yes change is scary.
>
> This is, perhaps, a question of perspective.
>
> The Internet is now a basic infrastructure upon whic
> On Thu, 21 Aug 2008, David Conrad wrote:
> > Now, I've always thought a separate root infrastructure that you had
> > to opt in to would be a good way to go, but this quickly gets bogged
> > down in extremely annoying (at least to me) layer 9 politics and I'll
> > let someone else try to p
On Aug 21, 2008, at 5:16 PM, David Conrad wrote:
If you are getting a signed
response, please let me know as something would be horribly wrong.
No, I was just being clueless. In fact, you are correct - it is not
signed at all.
In Dublin, there was some agreement on how to
move forward an
Ted,
On Aug 21, 2008, at 4:48 PM, Ted Lemon wrote:
It looks like it's sort of half-signed - if I query the right
authoritative server, I do get a signed response, but most of the
servers authoritative for ip6.arpa do not respond with signed
responses.
Err, no. It isn't signed, at least o
*plonk*
On Aug 21, 2008, at 3:50 PM, Masataka Ohta wrote:
Paul Wouters wrote:
Instead, MitM attack on DNSSEC is performed, for example, within
intermediate zones with forged signature on child zone with forged
end-users data.
Oh I see. DNSSEC is broken because we cannot trust RSA, DSA, SHA2
I've been doing a lot of IPv6-related hacking recently, and of course
participating in this discussion about DNSSEC as a solution to MitM
attacks, and it occured to ask whether ip6.arpa is signed. It looks
like it's sort of half-signed - if I query the right authoritative
server, I do get
On Thu, 21 Aug 2008, David Conrad wrote:
> Now, I've always thought a separate root infrastructure that you had
> to opt in to would be a good way to go, but this quickly gets bogged
> down in extremely annoying (at least to me) layer 9 politics and I'll
> let someone else try to push that bo
Paul Wouters wrote:
>> Instead, MitM attack on DNSSEC is performed, for example, within
>> intermediate zones with forged signature on child zone with forged
>> end-users data.
> Oh I see. DNSSEC is broken because we cannot trust RSA, DSA, SHA256,
> DiffieHellman, and perhaps eliptic curve
T
> Andrew Sullivan wrote:
> > On Fri, Aug 22, 2008 at 12:01:16AM +1000, Mark Andrews wrote:
> >
> >
> >> The issues David was pointing out have been visible for years. So
> >> to has the recovery behaviour if one choose to look for it. There
> >> is nothing new in what David has been saying.
>
On Thu, Aug 21, 2008 at 09:47:38AM -0700, David Conrad wrote:
...
> >If the root zone were to "strobe" between signed and unsigned, what
> >minimum duration of "signed", and what
> >maximum duration of "unsigned" would be likely to not cause
> >operational problems for the aforementioned
> >DNS
On Thu, Aug 21, 2008 at 10:09:50AM -0400, Dean Anderson wrote:
> On Tue, 19 Aug 2008, Ted Lemon wrote:
>
> > On Aug 19, 2008, at 8:15 PM, Dean Anderson wrote:
> > > A verifying
> > > DNSSEC cache can be poised with bad glue records using the poisoning
> > > attack, with only a slight change to the
Francis,
On Aug 21, 2008, at 8:42 AM, Francis Dupont wrote:
it seems the three problems are more from EDNS0 than from
the DO=1 (and without EDNSO there is no DO bit :-) so DO is not
the real source of the problems, it is EDNS0 and how it can be
badly handled by not-compliant middle boxes & co.
On Thu, 21 Aug 2008, Masataka Ohta wrote:
Instead, MitM attack on DNSSEC is performed, for example, within
intermediate zones with forged signature on child zone with forged
end-users data.
Oh I see. DNSSEC is broken because we cannot trust RSA, DSA, SHA256,
DiffieHellman, and perhaps eliptic
David Conrad wrote:
Brian,
On Aug 21, 2008, at 8:45 AM, Brian Dickson wrote:
How stable is the content of the root zone?
(Really, really stable, I'd guess.)
On average, there are about 20-30 changes to the root zone per month
(not including SOA serial number increments) with the trend
incre
Brian,
On Aug 21, 2008, at 8:45 AM, Brian Dickson wrote:
How stable is the content of the root zone?
(Really, really stable, I'd guess.)
On average, there are about 20-30 changes to the root zone per month
(not including SOA serial number increments) with the trend
increasing. August has
Andrew Sullivan wrote:
On Fri, Aug 22, 2008 at 12:01:16AM +1000, Mark Andrews wrote:
The issues David was pointing out have been visible for years. So
to has the recovery behaviour if one choose to look for it. There
is nothing new in what David has been saying.
I think you may be m
In your previous mail you wrote:
The concern I see (that I had hoped would be avoided by DO being set
to 1 only when the caching server administrator had explicitly
configured DNSSEC awareness) is that folks who are blissfully unaware
of the root being signed would, through no f
On Fri, Aug 22, 2008 at 12:01:16AM +1000, Mark Andrews wrote:
> The issues David was pointing out have been visible for years. So
> to has the recovery behaviour if one choose to look for it. There
> is nothing new in what David has been saying.
I think you may be missing the import of what he'
Antoin Verschuren wrote:
>>There are intelligent intermediate entities of root, TLD and
>>other servers between you and authoritative nameservers of your
>>peer.
> This is on data distribution path level, not infrastructure, nor data.
FYI, "I" of PKI is "Infrastructure".
And here are the attack
On Wed, Aug 20, 2008 at 11:17:38AM +0200, Alexander Gall wrote:
> On Tue, 19 Aug 2008 15:43:14 -0400, Andrew Sullivan <[EMAIL PROTECTED]> said:
>
> > On Tue, Aug 19, 2008 at 10:35:54AM -0700, David Conrad wrote:
> >> it in their products or services. Peter Koch did provide an interesting
> >> da
On Tue, 19 Aug 2008, Ted Lemon wrote:
> On Aug 19, 2008, at 8:15 PM, Dean Anderson wrote:
> > A verifying
> > DNSSEC cache can be poised with bad glue records using the poisoning
> > attack, with only a slight change to the Kaminsky software.
>
> Do you mean that it can be convinced that an answe
On Thu, Aug 21, 2008 at 12:32:10PM +1000, Mark Andrews wrote:
> people even noticing that DO is set. If DO caused non
> recoverable problems we would have seen them long before
> now.
I don't think that follows, which is (if I interpret him correctly)
what David Conrad was poin
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Masataka Ohta
> Subject: Re: [DNSOP] A different question
>
> There are intelligent intermediate entities of root, TLD and
> other servers between you and authoritative nameservers of your
> peer.
This
26 matches
Mail list logo
