Full Disclosure: Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion)

[Paul Schmehl <pschmehl_lists () tx rr com>]

--On July 16, 2008 11:17:07 AM +1000 Mark Andrews <Mark_Andrews () isc org> 
wrote:
> > The real problem isn't signing or resigning zones, or even
> > successfully=20 completing the original configuration (although those
> > are not trivial for=20 the average person trying to setup their own
> > dns).  It's the trust=20 anchors.  Until the root is signed, trust
> > anchors are a PITA.  And until=20 the root is signed, why should anyone
> > believe that DNSSEC will achieve=20 wide adoption?
>         Well there are a number of ccTLD's that are already signed.
>         RIPE sign their part of the reverse space.  ORG is in the
>         process of getting signed.  It's happening.
>
>         There are existing solutions to dealing with lack of support
>         in the infrastructure zones (includes the root).  You let
>         someone you trust collect the trust anchors for you then
>         incorporate them on a regular basis.
>
>         We effectively do this everyday with https but for some
>         reason people are scared to do the same thing with dns
>         despite private parts of the keys never being available to
>         the entity doing the certification.  With https the certifying
>         authority can spoof any site they certify.
Perhaps that's because a cert problem on a web server breaks a single 
webserver.  A cert problem with dns breaks an entire domain.
Paul Schmehl
If it isn't already obvious,
my opinions are my own and not
those of my employer.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/