[dnssec-deployment] What does DNSSEC enable?
Ralph Droms
rdroms at cisco.com
Fri Jan 7 08:54:28 EST 2005
I communicate with Ted from time to time about DHCP issues. I'll try to
get in touch with him today.
- Ralph
At 09:46 AM 1/7/2005 +0100, Olaf M. Kolkman wrote:
> > What *WE* know is that very few people, if any, is verifying whether
> > the browser they have installed actually has not changed since the
> > master was loaded with certs. I also know that at least around 1998, no
> > browser was checking whether a cert in the CA cert chain was changed
> > with a simple editor. I.e. the cert still was claimed to be from for
> > example Verisign, but the content of the cert had changed to be some
> > bogus thing. An operation a trojan could do very easily.
>
>Ouchh... does that still work?
>
> > Only path forward for browsers is, I think, that the people that
> > implement DNSSEC (i.e. "we") also hack the open source projects like
> > Mozilla so the right (another?) icon is display beside the padlock. I
> > think it would be very hard to get the browser hackers to do it. They
> > have enough problems getting CSS, Java and what not to work.
>
>
>Bill mentioned in the Jabber room that there is some submerged
>effort. More information on that would be good to have.
>
> >
> > A very cool application is, I think, the mix between DNS Dynamic
> > Updates (secured via SIG(0)), DNSSEC and IPSEC tunnels between devices
> > that move around (or get IP addresses in large networks from ISP's via
> > DHCP).
> >
>
>I recall Ted Lemon being very enthusiastic about the ability to fetch
>a public key from the forward zone and than do all kinds of things
>with DHCP and reverse DNS. I do not recall the exact architecture he
>was getting at. (This was during a workshop we organized a long time
>ago: http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html).
>
>Anybody on this list who runs into Ted on a regular basis? If not I'll
>mail him.
>
>--Olaf
>
>#############################################################
>This message is sent to you because you are subscribed to
> the mailing list <dnssec-deployment at shinkuro.com>.
>To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
>To switch to the DIGEST mode, E-mail to
><dnssec-deployment-digest at shinkuro.com>
>To switch to the INDEX mode, E-mail to <dnssec-deployment-index at shinkuro.com>
>Send administrative queries to <dnssec-deployment-request at shinkuro.com>
More information about the Dnssec-deployment
mailing list