[dns-operations] the mathematics of kaminsky spoofing probability

David Conrad drc at virtualized.org
Thu Aug 7 22:47:29 UTC 2008


On Aug 6, 2008, at 1:51 AM, Shane Kerr wrote:
> I assure you nobody is going to put the keys for my vanity domain into
> their list of trust anchors.

Why not?  If your trust anchor is with a bunch of others in a (set of)  
well known place(s) and there are tools that allow for those trust  
anchors to be downloaded and installed on a periodic basis, I'd think  
people would make use of your vanity domain trust anchor.

> We are a long way from having very many resolvers use DLV - most don't

> even support DNSSEC (at least not by default). It's kind of a question
> as to whether the long, slow process of getting resolvers updated will
> go faster than the long, slow process of getting zones signed (I  
> expect
> we will have zones signed faster, to be honest). :)

Using an include file full of trust anchors wouldn't (to my knowledge)  
require getting resolvers updated and wouldn't require the caching  
server operator to trust/rely upon the DLV operator (whoever it might  


More information about the dns-operations mailing list