North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Exploit for DNS Cache Poisoning - RELEASED
On Jul 24, 2008, at 6:05 PM, Valdis.Kletnieks@xxxxxx wrote:
On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:The problem is, once the ICANNt root is self-signed, the hope of ever
Except it doesn't work like that. As has been presented in numerous places (RIPE, ICANN, etc.), Richard Lamb has been working with the usual suspects (the Swedish DNSSEC mafia, NLNetLabs folks, Nominet folks, etc.) to come up with a secure, trustable, and accountable architecture for doing the signing. If a miracle happens and IANA were to be allowed to sign the root and then was told to give it to someone else, all that would need to be done would be for IANA staff to hand over the HSM, PIN codes and cards to someone else. Of course, part of the architecture is that there is more than one card and that someone other than IANA would hold the second card (i.e., the same sort of thing you see in US missle silos), but that's somewhat irrelevant to a discussion about how the "dysfunctional mess" would have its "authority" revoked.
I suppose one could argue that ICANN could refuse to hand over the HSM, the PIN codes and cards, but given ICANN is a California- incorporated company providing the IANA functions under a contract with the US government, I somehow doubt ICANN would be in any position to refuse. Federal Marshals can be quite persuasive I'm told.
Of course, all of this is academic since since I figure it is highly unlikely IANA will be permitted to sign the root. If anyone, my money is on VeriSign (you remember them...) but it may be some other Beltway Bandit as Paul suggests.