[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: question about dns trust profile
On Feb 5, 2009, at 2:14 PM, Brian Eaton wrote: > > I just read over the DNS authority trust profile you wrote up: > http://wiki.oasis-open.org/xri/XrdOne/TrustProfileDNSAuthority > > I'm not sure I understand the resource name to document binding, let > me double check. > > - someone starts with a resource X > - DNS publishes a mapping from resource X to document id Y > - when they download the document, they check that X == Y. Yes, you have the mapping correctly. > Is that right? It seems vulnerable to attacks on DNS. True, but no more so than an A record attack on the DNS for almost every resource we have. They real test, IFAIC, is a trust in the signature keys. Anything else is liable to introduce attacks. > Is the > expectation that DNS SEC will be used to prevent those attacks, or > that DNS spoofing is an acceptable risk? Both, actually. I suspect we will see a large growth in TLD signing over 2009... in the meantime, the DNS attack is, i think, acceptable. I thought pretty long on alternatives, but came up with nothing any better that did not require fundamental infrastructure changes which would only challenge interoperability. =peterd
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]