hoofbeats of zebras, was DNSSEC to be strangled at birth.

John Levine johnl at iecc.com
Fri Apr 6 13:13:00 EDT 2007


>You assume the new .net key (and what's signed with it) would be
>supplied to all users of the DNS, rather than used for a targeted
>attack on one user (or a small number of users).  Why assume the
>potential adversary will restrict himself to the dumbest possible way
>to use the new tools you're about to hand him?

I dunno about you, but if some part of the Federal government wanted
to mess with a particular target, it's much more likely they would
arrange for some large NSPs do some adjusted BGP.  Or even more likely
some guys in suits would show up at Verisign and say, "We're from
[redacted] and we would appreciate it if you arranged for requests for
[redacted].net from network [redacted]/15 to resolve to [redacted] for
the next couple of weeks."

Personally, I like Paul's theory about the DHS dork with a press
release.  He doesn't understand zones or delegation or the root
servers or routing or anything else, but the signing key will let them
Take Control of this Vital Resource in case of National Emergency.
You know, like they did in New Orleans.

Regards,
John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"More Wiener schnitzel, please", said Tom, revealingly.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list