Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Dean Anderson <dean@av8.com> Wed, 13 August 2008 13:37 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D3E803A69E7; Wed, 13 Aug 2008 06:37:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.967
X-Spam-Level:
X-Spam-Status: No, score=-0.967 tagged_above=-999 required=5 tests=[AWL=-0.472, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JD0eGomlJChb; Wed, 13 Aug 2008 06:37:35 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A8BA43A6876; Wed, 13 Aug 2008 06:37:35 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KTGSe-0001nt-Jn for namedroppers-data@psg.com; Wed, 13 Aug 2008 13:32:24 +0000
Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <namedroppers@stora.ogud.com>) id 1KTGSV-0001mV-0c for namedroppers@ops.ietf.org; Wed, 13 Aug 2008 13:32:22 +0000
Received: from stora.ogud.com (localhost [127.0.0.1]) by stora.ogud.com (8.14.2/8.14.2) with ESMTP id m7DDWCb2096688 for <namedroppers@ops.ietf.org>; Wed, 13 Aug 2008 09:32:12 -0400 (EDT) (envelope-from namedroppers@stora.ogud.com)
Received: (from namedroppers@localhost) by stora.ogud.com (8.14.2/8.14.2/Submit) id m7DDWCuN096687 for namedroppers@ops.ietf.org; Wed, 13 Aug 2008 09:32:12 -0400 (EDT) (envelope-from namedroppers)
Received: from [130.105.36.66] (helo=cirrus.av8.net) by psg.com with esmtps (TLSv1:DES-CBC3-SHA:168) (Exim 4.69 (FreeBSD)) (envelope-from <dean@av8.com>) id 1KSzok-000E2d-3P for namedroppers@ops.ietf.org; Tue, 12 Aug 2008 19:46:10 +0000
Received: from citation2.av8.net (citation2.av8.net [130.105.12.10]) (authenticated bits=0) by cirrus.av8.net (8.12.11/8.12.11) with ESMTP id m7CJjwWk020889 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 12 Aug 2008 15:45:59 -0400
Date: Tue, 12 Aug 2008 15:45:57 -0400
From: Dean Anderson <dean@av8.com>
X-X-Sender: dean@citation2.av8.net
To: David Conrad <drc@virtualized.org>
cc: "Jesper G. Høy" <jesper@jhsoft.com>, Namedroppers WG <namedroppers@ops.ietf.org>
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
In-Reply-To: <B5457C05-D2EA-4A31-94AB-84807AC62843@virtualized.org>
Message-ID: <Pine.LNX.4.44.0808121535120.3680-100000@citation2.av8.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Scanned-By: MIMEDefang 2.64 on 66.92.146.20
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
[ Moderators note: Post was moderated, either because it was posted by a non-subscriber, or because it was over 20K. With the massive amount of spam, it is easy to miss and therefore delete relevant posts by non-subscribers. Please fix your subscription addresses. ] On Mon, 11 Aug 2008, David Conrad wrote: > > > Only SSL can protect you here. > > As Dan Kaminsky points out: "SSL certs themselves are dependent on the > DNS". Kaminsky is wrong. SSL uses DNS to obtain an IP address to connect to a server, and then expects the server to produce a certificate, which the client verifies. Spoofing DNS does not enable the attacker to obtain the private key to the valid certificate. The DNS domain information placed in a certificate merely allows the client to determine before verification if it got the certificate it asked for. However the wrong or fake certificate won't verify unless there is a fault in the Certification Authority (this happened with MS some years ago). But a spoofed DNS name going to a wrong server results in a failure to verify the certificate. So SSL is NOT "dependent on DNS". Of course, if spoofed DNS sends the SSL connection to the wrong server, a DOS attack still results since one didn't get to the correct server. In that sense, everything a user does is dependent on DNS. But it is not the case that your bank information can be stolen by this DNS attack, as Kaminsky seems to have told the mainstream press. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000 -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- How do we get the whole world to upgrade to DNSSE… Ben Laurie
- Re: How do we get the whole world to upgrade to D… Alex Bligh
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… Ted Lemon
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… Brian Dickson
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Jelte Jansen
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Brian Dickson
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Andrew Sullivan
- Re: How do we get the whole world to upgrade to D… Jelte Jansen
- Re: How do we get the whole world to upgrade to D… Roy Arends
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Stephane Bortzmeyer
- Re: How do we get the whole world to upgrade to D… Brian Dickson
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Matthijs Mekking
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… bmanning
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- RE: How do we get the whole world to upgrade to D… Alex Bligh
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- RE: How do we get the whole world to upgrade to D… Alex Bligh
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- Re: How do we get the whole world to upgrade to D… Jelte Jansen
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Michael StJohns
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Tony Finch
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Edward Lewis
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Dean Anderson
- Re: How do we get the whole world to upgrade to D… Ray.Bellis
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… David W. Hankins
- Re: How do we get the whole world to upgrade to D… Jim Fenton
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Ted Lemon
- Re: How do we get the whole world to upgrade to D… Ted Lemon
- Re: How do we get the whole world to upgrade to D… Duane at e164 dot org
- Re: How do we get the whole world to upgrade to D… Paul Vixie
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Alex Bligh
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Duane at e164 dot org
- Re: Kaminsky, Cache Poisoning, and Censorship Brian Dickson
- A note of apology (Was: Kaminsky, Cache Poisoning… Andrew Sullivan
- Re: Kaminsky, Cache Poisoning, and Censorship Dean Anderson
- Kaminsky, Cache Poisoning, and Censorship Dean Anderson
- Re: A note of apology (Was: Kaminsky, Cache Poiso… Dean Anderson