Martin Rex writes
On Wed, Oct 20, 2010 at 9:55 PM, Mark Andrews <marka(_at_)isc(_dot_)org>
The DNS is not just name to address translation.
It doesn't really matter what DNS translates, all translations
are equally untrusted.
Actually it's not these days. I can trust some answers from the DNS
more than other answers from the DNS.
The architecture of the internet is based on good faith and best effort.
DNS is _no_ different.
What we're fighting about is probably not what exactly DNSSEC is
about, but how we define the meaning of "trusted". A lot of folks
seem to argue based on the assumption "faith" == "trust".
I can trust that some answers have not been tampered with in transit
others I can't. Whether the original data is was "good" or not is
another question. I need to also make a decision about whether to
trust that data or not but I can't do that as safely without first
knowing that it hasn't been tampered with in transit.
For email we can eliminate MITM interception attacks now that we
have DNSSEC. The answers to the MX, A and AAAA lookups can now be
secured. This gives you a MX record (explict or implicit) which
is reasonable to trust. From that you know who you are supposed
to be talking to and what CERT should should be presented in response
to STARTTLS. The only thing missing is a way to say that you should
expect to have STARTTLS offered to you when you make the SMTP
connection. A simple solution to that would be to have SMX (Secure
MX) record which is otherwise identical to a MX records but indicates
that STARTTLS is offered by the mail exchangers for this mail domain.
Even without SMX you have stopped redirection by returning fake MX
RRsets or fake A / AAAA records. You now need to redirect/intercept
the TCP connections. You have made the job of intercepting email
If you want to authenticate your peer, use something like an SSH host
And how do you know you should trust the host key the remote machine
Use whatever you feel comfortable with. Out-of-band pen&paper.
Leap-of-faith on initial encounter.
What do you do yourself when you meet some person for the first time?
Do you ask them for their passport or legal ID-card (not that it would
make much of a difference)? And what do you do on repeated encounter?
It depends on what my relationship with them will be.
The traditional human concept of "trust" between persons is
a combination of "leap-of-faith on initial encounter" with non-negative
experience and getting accustomed to sensoric input patterns to some
of the other persons's biometrics (which requires memorizing those patterns).
And both, evolution and every day life shows us that collecting memories
about previous encounters can help us to significantly reduce our
susceptibility to impersonation.
We also have introductions.
People also read body language etc. none of which is available digitally.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org
Ietf mailing list