[dns-operations] After Google Mail, Google Docs, Google Wave... Google DNS
Mike Ryan
mikeryan at ISI.EDU
Fri Dec 4 19:28:10 UTC 2009
On Fri, Dec 04, 2009 at 06:17:21PM +0100, Stephane Bortzmeyer wrote:
> On Thu, Dec 03, 2009 at 06:37:55PM -0500,
>
> Indeed, one think that puzzles me about Google DNS: since the
> resolvers are far away from my machine and are anycasted (which
> complicates the detection of a hijacking), why didn't Google provide a
> way to secure the link with them (such as TSIG) ?
TSIG is based on a pre-shared key model. If Google published a common
key, then those doing MITM would have access to the same key.
The only way it would be feasible from a security standpoint is if they
had a secure interface to upload your own key (e.g., HTTPS). That sounds
cumbersome and I doubt they'd want to deal with troubleshooting the
strange issues that would arise from that.
Mike Ryan
More information about the dns-operations
mailing list