Re: Exploit for DNS Cache Poisoning - RELEASED

• From: Valdis . Kletnieks
• Date: Thu Jul 24 21:05:16 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:
> On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:
>> The problem is, once the ICANNt root is self-signed, the hope of ever
>> revoking that dysfunctional mess as authority is gone.

> As far as I'm aware, as long as the KSK isn't compromised, changing  
> the organization who holds the KSK simply means waiting until the next  
> KSK rollover and have somebody else do the signing.

That's true if the ICANN KSK is signed *by some other entity* - that entity
can then force a change by signing some *other* KSK for the next rollover.

If the ICANN key is self-signed as Tomas hypothesizes, then that leverage
evaporates.
If  

Attachment: pgp00020.pgp
Description: PGP signature

• Follow-Ups:
  • Re: Exploit for DNS Cache Poisoning - RELEASED David Conrad

• References:
  • Re: Exploit for DNS Cache Poisoning - RELEASED Jorge Amodio
  • Re: Exploit for DNS Cache Poisoning - RELEASED Paul Vixie
  • RE: Exploit for DNS Cache Poisoning - RELEASED Tomas L. Byrnes
  • Re: Exploit for DNS Cache Poisoning - RELEASED David Conrad

• Prev by Date: Re: Exploit for DNS Cache Poisoning - RELEASED
• Next by Date: Re: TLD servers with recursion was Re: Exploit for DNS Cache Poisoning- RELEASED
• Date Index
• Thread Index
• Author Index
• Historical