Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

Alex Bligh <alex@alex.org.uk> Wed, 13 August 2008 18:15 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B2DBB3A6C8D; Wed, 13 Aug 2008 11:15:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.372
X-Spam-Level:
X-Spam-Status: No, score=0.372 tagged_above=-999 required=5 tests=[AWL=0.867, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fm7phuQbWm5s; Wed, 13 Aug 2008 11:15:12 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A77F53A6C49; Wed, 13 Aug 2008 11:15:12 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KTKnL-00042Y-Nd for namedroppers-data@psg.com; Wed, 13 Aug 2008 18:10:03 +0000
Received: from [217.147.82.63] (helo=mail.avalus.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <alex@alex.org.uk>) id 1KTKnG-00041H-IL for namedroppers@ops.ietf.org; Wed, 13 Aug 2008 18:10:01 +0000
Received: from [192.168.100.2] (localhost [127.0.0.1]) by mail.avalus.com (Postfix) with ESMTP id 6CA40C2DA3; Wed, 13 Aug 2008 19:09:54 +0100 (BST)
Date: Wed, 13 Aug 2008 19:09:52 +0100
From: Alex Bligh <alex@alex.org.uk>
Reply-To: Alex Bligh <alex@alex.org.uk>
To: Paul Vixie <vixie@isc.org>, "David W. Hankins" <David_Hankins@isc.org>
cc: namedroppers@ops.ietf.org, Alex Bligh <alex@alex.org.uk>
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Message-ID: <12C066D444F4C70CD898C411@Ximines.local>
In-Reply-To: <36468.1218648901@nsa.vix.com>
References: <B5457C05-D2EA-4A31-94AB-84807AC62843@virtualized.org> <Pine.LNX.4.44.0808121535120.3680-100000@citation2.av8.net> <OF6BFCDCCD.B3B7FD05-ON802574A4.004C3FB5-802574A4.004C6A52@nominet.org.uk> <764E89A0-32D2-4555-B61C-C8B7D88EB9E1@ca.afilias.info> <20080813163936.GA18651@isc.org> <36468.1218648901@nsa.vix.com>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>


--On 13 August 2008 17:35:01 +0000 Paul Vixie <vixie@isc.org> wrote:

>> Or even Kaminsky-subverting http://www.bank.com/ to point to a host
>> which produces a redirect to https://www.bankfoo.com/, which is under
>> the attacker's full control.
>
> no real reason to s/bank/bankfoo/ in that example.  once you've got the A
> RR for www.bank.com you can just not redirect folks to https:.

Perhaps there is no real reason but all 4 of the online banking services
I use do this.

Alex

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>