--- "Brian J. Murrell" <[EMAIL PROTECTED]> wrote: > Signed DNS requests and (more importantly) replies? > I am sure you > could imagine, but to give just a rough picture, > (from what I have > read of it) every DNS server (interested in ensure > the integrity of > it's communications) has a certificate which is > signed by an > authority, usually, your upstream DNS provider. > From then on it's > pretty basic certificate chain type processing.
Then someone exploits a basic hole in your DNS server software and you've got signed packets from a compromised DNS server with a shiny certificate :o) > Why develop (and depoly!!) a new protocol and > service to do > essentially the same thing as DNS for only slightly > differnt kinds of > data. Why not use something that was really designed as a directory service like LDAP? DNS was designed to be a networked version of /etc/hosts __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com
