Re: [Full-disclosure] DNS Cache Dan Kamikaze (Actual Exploit Discussion)




The real problem isn't signing or resigning zones, or even successfully=20
completing the original configuration (although those are not trivial for=20
the average person trying to setup their own dns). It's the trust=20
anchors. Until the root is signed, trust anchors are a PITA. And until=20
the root is signed, why should anyone believe that DNSSEC will achieve=20
wide adoption?

Well there are a number of ccTLD's that are already signed.
RIPE sign their part of the reverse space. ORG is in the
process of getting signed. It's happening.

There are existing solutions to dealing with lack of support
in the infrastructure zones (includes the root). You let
someone you trust collect the trust anchors for you then
incorporate them on a regular basis.

We effectively do this everyday with https but for some
reason people are scared to do the same thing with dns
despite private parts of the keys never being available to
the entity doing the certification. With https the certifying
authority can spoof any site they certify.

Mark

Paul Schmehl
If it isn't already obvious,
my opinions are my own and not
those of my employer.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@xxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] DNS Cache Dan Kamikaze (Actual Exploit Discussion)
    ... It's the trust=3D20 anchors. ... Until the root is signed, ... someone you trust collect the trust anchors for you then ... reason people are scared to do the same thing with dns ...
    (Full-Disclosure)
  • Re: [Full-disclosure] DNS Cache Dan Kamikaze (Actual Exploit Discussion)
    ... It's the trust=20 anchors. ... trust ... reason people are scared to do the same thing with dns ... the entity doing the certification. ...
    (Full-Disclosure)
  • Re: Event ID 7062 in DNS logs
    ... you advice me to let the default Internet root ... > hints in place and to use forwarders from the child DNS (DNS server in ... > the root DNS (DNS server on the forest root domain hosting the ... > AD-integrated forestroot.com zone). ...
    (microsoft.public.windows.server.dns)
  • Re: AD Login
    ... phyically in the root domain), logon to with their own AD credentials. ... DNS issues OR to firewall/routing issues. ... or perhaps the DNS servers for one domain cannot find the "other" ...
    (microsoft.public.windows.server.active_directory)
  • Re: What is CACHE.DNS file?
    ... By default, when DNS is running on a Windows 2000 domain controller, the ... root hints are read from Active Directory upon startup first. ... Does the above apply to Windows Server 2003 R2 configured as an AD ...
    (microsoft.public.windows.server.dns)