[dns-operations] the mathematics of kaminsky spoofing probability
David Conrad
drc at virtualized.org
Thu Aug 7 22:47:29 UTC 2008
Shane,
On Aug 6, 2008, at 1:51 AM, Shane Kerr wrote:
> I assure you nobody is going to put the keys for my vanity domain into
> their list of trust anchors.
Why not? If your trust anchor is with a bunch of others in a (set of)
well known place(s) and there are tools that allow for those trust
anchors to be downloaded and installed on a periodic basis, I'd think
people would make use of your vanity domain trust anchor.
> We are a long way from having very many resolvers use DLV - most don't
> even support DNSSEC (at least not by default). It's kind of a question
> as to whether the long, slow process of getting resolvers updated will
> go faster than the long, slow process of getting zones signed (I
> expect
> we will have zones signed faster, to be honest). :)
Using an include file full of trust anchors wouldn't (to my knowledge)
require getting resolvers updated and wouldn't require the caching
server operator to trust/rely upon the DLV operator (whoever it might
be)...
Regards,
-drc
More information about the dns-operations
mailing list