Re: [Full-disclosure] DNS Cache Dan Kamikaze (Actual Exploit Discussion)



--On July 16, 2008 11:17:07 AM +1000 Mark Andrews <Mark_Andrews@xxxxxxx> wrote:


The real problem isn't signing or resigning zones, or even
successfully=20 completing the original configuration (although those
are not trivial for=20 the average person trying to setup their own
dns). It's the trust=20 anchors. Until the root is signed, trust
anchors are a PITA. And until=20 the root is signed, why should anyone
believe that DNSSEC will achieve=20 wide adoption?

Well there are a number of ccTLD's that are already signed.
RIPE sign their part of the reverse space. ORG is in the
process of getting signed. It's happening.

There are existing solutions to dealing with lack of support
in the infrastructure zones (includes the root). You let
someone you trust collect the trust anchors for you then
incorporate them on a regular basis.

We effectively do this everyday with https but for some
reason people are scared to do the same thing with dns
despite private parts of the keys never being available to
the entity doing the certification. With https the certifying
authority can spoof any site they certify.


Perhaps that's because a cert problem on a web server breaks a single webserver. A cert problem with dns breaks an entire domain.

Paul Schmehl
If it isn't already obvious,
my opinions are my own and not
those of my employer.

Attachment: p7sNzZYktPh1B.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] DNS Cache Dan Kamikaze (Actual Exploit Discussion)
    ... the average person trying to setup their own dns). ... Until the root is signed, trust anchors are a PITA. ... the entity doing the certification. ...
    (Full-Disclosure)
  • Re: Trust Validation
    ... We are using DNS instead of WINS so the tool will show it not ... I actually am getting the trust to validate now. ... PortQry features, this is the backend tool for PortQryUI ...
    (microsoft.public.windows.server.active_directory)
  • Re: Not able to establish trust with another window 2003 domain
    ... Not the "Packet needs to be fragmented but DF set". ... I try to use my target domain to create a trust to one of my ... establish a trust to my source, its fail. ... i install a new server on each domain and try to create a DNS ...
    (microsoft.public.windows.server.active_directory)
  • RE: Trust between two Forests Fail
    ... WINS AND DNS are working. ... "THE trust has been validated. ... I can access their Active Directory from my side and can nodify users (using ... Niether side can see the other sides Donain in Windows Explorer " Network ...
    (microsoft.public.windows.server.active_directory)
  • Re: RPC server unavailable, unable to obtain RPC connection to domain controller
    ... Then try establishing the trust again using FQDN not Netbios. ... > I'm having a major problem with my domain controller. ... > 2 of them host Active Directory Integrated DNS zones. ... > that the name can be resolved and that the server is available. ...
    (microsoft.public.windows.server.active_directory)