Attacking networks using DHCP, DNS - probably kills DNSSEC
William Allen Simpson
wsimpson at greendragon.com
Mon Jun 30 10:05:38 PDT 2003
"Steven M. Bellovin" wrote:
>
> In message <iluof0gh7vy.fsf at latte.josefsson.org>, Simon Josefsson writes:
> >Of course, everything fails if you ALSO get your DNSSEC root key from
> >the DHCP server, but in this case you shouldn't expect to be secure.
> >I wouldn't be surprised if some people suggest pushing the DNSSEC root
> >key via DHCP though, because alas, getting the right key into the
> >laptop in the first place is a difficult problem.
> >
>
> I can pretty much guarantee that the IETF will never standardize that,
> except possibly in conjunction with authenticated dhcp.
>
Would this be the DHCP working group that on at least 2 occasions
when I was there, insisted that secure DHCP wouldn't require a secret,
since DHCP isn't supposed to require "configuration"?
And all I was proposing at the time was username, challenge, MD5-hash
response (very CHAP-like). They can configure ARP addresses for
"security", but having both the user and administrator configure a per
host secret was apparently out of the question.
--
William Allen Simpson
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cypherpunks-legacy
mailing list