[13728] in cryptography@c2.net mail archive
Re: Attacking networks using DHCP, DNS - probably doesn't kill DNSSEC
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Sun Jun 29 15:11:46 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: Bill Stewart <bill.stewart@pobox.com>, cryptography@metzdowd.com
In-Reply-To: Your message of "Sat, 28 Jun 2003 23:15:45 EDT."
<20030629031545.83BFA7B4D@berkshire.research.att.com>
Reply-To: sommerfeld@orchard.arlington.ma.us
Date: Sun, 29 Jun 2003 13:30:30 -0400
One key point though: even if DNSSEC was deployed from the root, and a
trusted copy of the root key was the client, the search path/default
domain must *also* come from a trusted source.
Currently, default domain/search path often comes from DHCP, and for
nomadic laptops where the relationship to the local network is often
casual at best, this is likely to be a mistake.
- Bill
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
