Date: Wed, 9 Jul 2008 17:27:49 -0700 From: Chris Palmer <chris@noncombatant.org> To: Mark Boolootian <booloo@ucsc.edu>, freebsd-security@freebsd.org Subject: Re: BIND update? Message-ID: <20080710002749.GK55473@noncombatant.org> In-Reply-To: <20080709235204.GB72293@root.ucsc.edu> References: <17cd1fbe0807090819o2aa28250h13c58dbe262abb7c@mail.gmail.com> <3a558cb8f79e923db0c6945830834ba2.squirrel@galain.elvandar.org> <17cd1fbe0807090909i566e1789s6b7b61bf82dd333e@mail.gmail.com> <4874ECDA.60202@elvandar.org> <4874F149.1040101@FreeBSD.org> <17cd1fbe0807091027n6af312cbwab3d3277f2b5e081@mail.gmail.com> <20080709182340.GD55473@noncombatant.org> <4875481E.4000100@kernel32.de> <20080709235204.GB72293@root.ucsc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Boolootian writes: > Everyone that uses the Internet depends on the security of DNS. That's too bad, because DNS never made any security guarantees. When you ask to resolve www.google.com, the answer does not mean "www.google.com is on the network at 74.125.19.104." It means "As far as we can tell at the moment, www.google.com might be on the network at 74.125.19.104, or that might be a total lie. Good luck! P.S.: Lying is very easy." There are no guarantees of authentication, authorization, or integrity. When I need to verify the identity of a host (really, the identity of an application server -- which is more relevant anyway), I use things like SSL certificates and SSH host keys. After all, you were going to need authentication and integrity -- and likely confidentiality, too -- at the application layer anyway. Right?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080710002749.GK55473>