Re: [DNSOP] Another TLD intending to sign soon

2008-08-27 Thread Mark Andrews
> Some comments on incorrect assertions on the NSEC/NSEC3 attacks. > > >(1) there is no cryptographic defense against an attack where the > > attacker convinces the target that a zone that does not exist at all > > does exist. It is not possible to do this with NSEC. Names eithe

Re: [DNSOP] Another TLD intending to sign soon

2008-08-27 Thread Ted Lemon
On Aug 27, 2008, at 3:45 PM, Dean Anderson wrote: > I'm not sure I agree with your summary of the NSEC/NSEC3 issues. I'll > mostly ignore your summary for now and just note that there are a > number > of other serious flaws. It's hard to take a statement like this seriously when it's not backed

Re: [DNSOP] Another TLD intending to sign soon

2008-08-27 Thread Dean Anderson
On Tue, 26 Aug 2008, Ted Lemon wrote: > If you had a problem with (1), you should have raised this back when > the working group made this change. The above criticism is an entirely disingenuous comment. Mr Lemon has previously been made aware that critics of DNSSEC were silenced on DNSEXT W

Re: [DNSOP] Another TLD intending to sign soon

2008-08-27 Thread Dean Anderson
On Tue, 26 Aug 2008, Ted Lemon wrote: > On Aug 26, 2008, at 1:06 PM, Dean Anderson wrote: > > How could their testing and analysis be considered 'thorough' or > > credible when they didn't find the very serious flaws just recently > > identified on this list? > > To summarize, the two "flaws" to

Re: [DNSOP] Another TLD intending to sign soon

2008-08-26 Thread Joe Baptista
On Tue, Aug 26, 2008 at 1:10 PM, Roy Arends <[EMAIL PROTECTED]> wrote: > > This will be a very interesting experiment. And finally a good test of >> DNSSEC. Great for consultants. >> > > Why would this be experimental or test? Why 'finally'. This implies DNSSEC > has not been deployed or been te

Re: [DNSOP] Another TLD intending to sign soon

2008-08-26 Thread Ted Lemon
On Aug 26, 2008, at 1:06 PM, Dean Anderson wrote: > How could their testing and analysis be considered 'thorough' or > credible when they didn't find the very serious flaws just recently > identified on this list? To summarize, the two "flaws" to which you refer are: (1) there is no cryptograp

Re: [DNSOP] Another TLD intending to sign soon

2008-08-26 Thread Dean Anderson
On Tue, 26 Aug 2008, Roy Arends wrote: > > This will be a very interesting experiment. And finally a good test > > of DNSSEC. Great for consultants. > > Why would this be experimental or test? Why 'finally'. This implies > DNSSEC has not been deployed or been tested 'good' before. Has DNSSE

Re: [DNSOP] Another TLD intending to sign soon

2008-08-26 Thread Roy Arends
On Aug 26, 2008, at 7:03 PM, Joe Baptista wrote: > On Tue, Aug 26, 2008 at 11:26 AM, Paul Hoffman > <[EMAIL PROTECTED]> wrote: > > > >Government agencies must take new measures by January 2009 to ensure > >the Domain Name System security extensio

[DNSOP] Another TLD intending to sign soon

2008-08-26 Thread Joe Baptista
On Tue, Aug 26, 2008 at 11:26 AM, Paul Hoffman <[EMAIL PROTECTED]>wrote: > > > >Government agencies must take new measures by January 2009 to ensure > >the Domain Name System security extensions on top level .gov Web > >site domains are signed, and

[DNSOP] Another TLD intending to sign soon

2008-08-26 Thread Paul Hoffman
>Government agencies must take new measures by January 2009 to ensure >the Domain Name System security extensions on top level .gov Web >site domains are signed, and that processes for securing sub-domains >are developed, according to a memorand