Re: [DNSOP] Practical issues deploying DNSSEC into the home.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 






On Thu, Sep 12, 2013 at 2:07 PM, Ted Lemon <Ted.Lemon@xxxxxxxxxxx> wrote:
On Sep 12, 2013, at 1:49 PM, "Dickson, Brian" <bdickson@xxxxxxxxxxxx> wrote:
> In order to subvert or redirect a delegation, the TLD operator (or
> registrar) would need to change the DNS server name/IP, and replace the DS
> record(s).

Someone who possesses the root key could in principle create a fake DNS hierarchy with relatively few strategic changes, and present it only to certain attack targets.   This would be expensive, but not impossible.   It would not work, for example, for dragnet-style surveillance.


It would not work for covert dragnet surveillance. 

It would work just fine if the attacker did not mind if the surveillance was detected or actually wanted people to know they were being watched to intimidate them.

--
Website: http://hallambaker.com/

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]