EC> Date: 30 Dec 2002 19:39:20 +0300 EC> From: Eugene Crosser
EC> Not really. That part of my the script only runs once, and Doing a "dig +norec @xxx . ns" sends UDP-based DNS query 0002. Looking up an IP address sends UDP-based DNS query 0001. If the DNS query IDs generated by each method are comparable, the safety of each is comparable. EC> can be omitted alltogether. Instead, you can (and probably EC> should) download the key by hand and check the fingerprint EC> offline (e.g. call friends). Likewise, one could have a centrally-distributed copy of the hints file. Perhaps one should automate downloading the new hints file, let a script/program compare them, then send a message if material changes are detected. An admin can verify the contents manually, then commit the changes. Distribute to other nameservers via a trustworthy protocol, thus minimizing duplicate effort. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <[EMAIL PROTECTED]>, or you are likely to be blocked. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
