To:
"D. J. Bernstein" <djb@cr.yp.to>
Cc:
ngtrans@sunroof.eng.sun.com, namedroppers@ops.ietf.org, ipng@sunroof.eng.sun.com, dnsop@cafax.se
From:
Matt Crawford <crawdad@fnal.gov>
Date:
Sun, 22 Jul 2001 14:17:35 -0500
In-reply-to:
"20 Jul 2001 22:13:22 -0000." <20010720221322.4452.qmail@cr.yp.to>
Sender:
crawdad@gungnir.fnal.gov
Subject:
Re: NGtrans - DNSext joint meeting, call for participation
> ``Administrators normally insist on being able to change their records > with at most a few days notice,'' my web page says, as a starting point > for analyzing the expiration-date security issues. Yes, it does indeed say that. It has to say it, because imposing that ad-hoc restriction is necessary in order to drive to the conclusion you want. Bu tthat doesn't make it so, especially when different records record information with clearly different volatility. > Matt Crawford writes: > > then the signatures on the A6 records covering interface identifiers > > and subnets can be valid for a long time, > > No, they cannot, because that would allow an attacker to interfere with > updates. This is the security issue analyzed on my web page. No, it is not analyzed. What you assert is true, but you have not explored the ramifications.