On Wed, Dec 29, 2010 at 11:15:02AM -0500, Valdis.Kletnieks@vt.edu wrote:
On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said:
No cryptography can expose the difference between data that is correctly signed by the proper procedures and data that is correctly signed by a corrupt procedure.
Amen...
Well, it *would* help detect an intruder that's smart enough to subvert the signing of the zones on the DNS server, but unable to also subvert the copy stored on some FTP site. Rather esoteric threat model, fast approaching the "Did you remember to take your meds?" level.
presuposes the attack was server directed. the DNS-sniper will take out your locally configured root KSK &/or replace it w/ their own. no need to "carpet-bomb" all users of the vt.edu caches - right?
Plus, if you're worried about foobar.com's zone being maliciously signed, do you *really* want to follow a pointer to www.foobar.com to fetch another copy? :)
who intimated that the OOB channel would be http? since that is based on the DNS, i'd like to think it was suspect as well. :) --bill