On Aug 16, 2008, at 9:35 PM, Dean Anderson wrote:
- If Mal cracks someone else's server, that server still doesn't have
the bank's certificate, and won't have the bank's dns domain, either.
So the browser should think that it got the wrong certificate.
No, that wasn't my point. My point is th
Mark Andrews wrote:
>>Considering that two RRs each containing 2048 bit data will need
>>oversized messages, they may not be properly treated by some
>>servers.
>>
>>Those suffering from oversized messages may turn-off DNSSEC and there
>> is instability for those moving with their laptops.
>
On Sat, 16 Aug 2008, Ted Lemon wrote:
> On Aug 16, 2008, at 4:56 PM, Dean Anderson wrote:
> > For example, besides the previously mentioned key rollover
> > issue, I understand that DNSSEC also doesn't allow the protocol to be
> > changed securely. And we do expect the protocol to be changed.
>
> David Conrad wrote:
>
> > Given this, does anyone see any DNS security and/or stability concerns
> > if a miracle were to happen and the root were to be signed tomorrow?
>
> Well,it will introduce a lot of large RRs, which may cause problems.
>
> Considering that two RRs each containing 204
On Aug 16, 2008, at 4:56 PM, Dean Anderson wrote:
For example, besides the previously mentioned key rollover
issue, I understand that DNSSEC also doesn't allow the protocol to be
changed securely. And we do expect the protocol to be changed.
As a non-expert in DNSSEC, I have to admit that I am
People who think they don't care about DNSSEC now, should still be
concerned about any changes to root and TLD servers and should be
concerned about the consequences of those changes in the future. There
really are no changes that have zero impact.
> That is, if you don't care about DNSSEC, do
David Conrad wrote:
> Given this, does anyone see any DNS security and/or stability concerns
> if a miracle were to happen and the root were to be signed tomorrow?
Well,it will introduce a lot of large RRs, which may cause problems.
Considering that two RRs each containing 2048 bit data will n
On 15 aug 2008, at 22.01, David Conrad wrote:
Let me try to (hopefully) more clearly articulate my question: given
the fact that caching servers only care about DNSSEC if they're
explicitly configured to do so, does anyone anticipate any stability/
security concerns to those folks who _haven
