[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
opportunistic encryption and DNSSEC
-----BEGIN PGP SIGNED MESSAGE-----
(I'm changing the subject line to help mail sorting...)
>>>>> "Derek" == Derek Atkins <warlord@MIT.EDU> writes:
Derek> Bill Manning <bmanning@ISI.EDU> writes:
>> 'cause I want to confuse your software?
Derek> If one is going to trust DNS (or even DNSSec) and the DNS zone
Derek> administrator wants to foil you, there is nothing you can do. Even if
Derek> you go ahead and use KEY or CERT records, you (they DNS admin) could
Derek> put in bad/fake data. There is nothing to protect users against
Derek> attackers who are their own DNS admins.
Derek is absolute right.
DNS(sec) is in general used for *authentication*.
The X-IPsec-Server record is a form authorization. If you wish to authorize
strange things that it your business. It would be nice to go towards a more
clear form of authorization.
(Recall RGM's "TX" record for instance)
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.5.6, an Emacs/PGP interface
iQCVAwUBO40aJYqHRg3pndX9AQECdAP/b5x4b4tiGKI10B6cLJVZEnzhMhqCO1vr
qDSIv4xL1xMtZL8+BAexOjI2DqzFg9NDg/J+TFelsjMd4mwRxhaF2LCX3GPop6SC
vPP2POq/UC8JjlObLjMI0QBH//G0cZ1mHdhVo8g4uBcXjV8veOdyH7O2GVMRuzaN
27EyqL32izg=
=V69G
-----END PGP SIGNATURE-----
References: