IETF Logo Mail Archive

Re: [dnsext] Possible DNSSECbis clarifications

Miek Gieben <miek@miek.nl> Mon, 28 March 2011 16:12 UTC

Return-Path: <miekg@atoom.net>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2BFDD28C0D9 for <dnsext@core3.amsl.com>; Mon, 28 Mar 2011 09:12:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4djAf97UjVf3 for <dnsext@core3.amsl.com>; Mon, 28 Mar 2011 09:12:00 -0700 (PDT)
Received: from elektron.atoom.net (cl-201.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:c8::2]) by core3.amsl.com (Postfix) with ESMTP id 16B9F28C0D7 for <dnsext@ietf.org>; Mon, 28 Mar 2011 09:12:00 -0700 (PDT)
Received: by elektron.atoom.net (Postfix, from userid 1000) id 0FA4340067; Mon, 28 Mar 2011 18:13:35 +0200 (CEST)
Date: Mon, 28 Mar 2011 18:13:35 +0200
From: Miek Gieben <miek@miek.nl>
To: dnsext@ietf.org
Message-ID: <20110328161335.GB11536@miek.nl>
Mail-Followup-To: dnsext@ietf.org
References: <4D9042DA.30002@ogud.com> <00a701cbed28$64d1b1d0$2e751570$@lampo@eurid.eu> <EBB9E54E-15F1-46B0-81CB-4B2C7B47D598@hopcount.ca> <018401cbed48$0b8a6ac0$229f4040$@lampo@eurid.eu> <22FD4CD1-4EFB-412A-A307-485DEBE815CE@hopcount.ca> <01a901cbed53$e744b7e0$b5ce27a0$@lampo@eurid.eu> <BFB96297-9A30-4C9B-86D9-788AAB0D7E61@hopcount.ca> <01b701cbed61$61cd3480$25679d80$@lampo@eurid.eu>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="A6N2fC+uXW/VQSAv"
Content-Disposition: inline
In-Reply-To: <01b701cbed61$61cd3480$25679d80$@lampo@eurid.eu>
User-Agent: Vim/Mutt/Linux
X-Home: www.miek.nl
Subject: Re: [dnsext] Possible DNSSECbis clarifications
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2011 16:12:01 -0000

[ Quoting Marc Lampo at 17:55 on March 28 in "Re: [dnsext] Possible  DNSSECbis cl"... ]
> A "theorical" attack would be a "man-in-the-middle" change the trailing
> SOA, thus causing the secondary server to throw away each zone transfer it
> attempts (if it "believes" the second SOA is correct, in the absence of a
> valid RRSIG for it - that trailing SOA).

If you are scared of mitm attacks you should use tsig to secure the
transfer IMO.

grtz Miek

v2.23.0 | Report a Bug | By Email