[dns-operations] Unplanned DLV zone outage on 2009-Apr-06

Jeremy C. Reed reed at reedmedia.net
Tue Apr 14 22:16:23 UTC 2009


On Tue, 14 Apr 2009, Eric Osterweil wrote:

> Thus, I think SecSpider is quite useful for this.  Our assertion is 
> simply that the keys we serve are those that have been observed from our 
> distributed polling infrastructure.  We poll our corpus from multiple 
> points on several continents and only publish keys that are consistent 
> across all pollers using the name servers from both the parent zone's 
> view of the NS RRset and those name servers' views of the NS RRset.  We 
> claim that this is the "public" view of keys and that an adversary would 
> have a phenomenally difficult time spoofing all of our pollers, from all 
> of a zone's name servers, at the precise/random time that we poll (we do 
> not use caches).  Thus, our security model revolves around making 
> decisions based on global key consistency.

How often are they verified?

What happens if the unknowing zone decided to become unsigned but the DLV 
still indicates that it should be signed? (Due to no relationship and 
communication with the DLV.)



More information about the dns-operations mailing list