29 Dec
2010
29 Dec
'10
11:15 a.m.
On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said:
No cryptography can expose the difference between data that is correctly signed by the proper procedures and data that is correctly signed by a corrupt procedure.
Amen... Well, it *would* help detect an intruder that's smart enough to subvert the signing of the zones on the DNS server, but unable to also subvert the copy stored on some FTP site. Rather esoteric threat model, fast approaching the "Did you remember to take your meds?" level. Plus, if you're worried about foobar.com's zone being maliciously signed, do you *really* want to follow a pointer to www.foobar.com to fetch another copy? :)