On Thu, Mar 06, 2003 at 04:50:18AM -0800, Hallam-Baker, Phillip wrote:
The widespread DNS spoofing scenarios proposed are theoretical not
practical.
Probably you missed the earlier post with a pointer to a paper on DNS
attacks:
https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg00113.html
and a description of the way that RMX proposal interacts badly to make
DNS even more vulnerable in the context of RMX.
And if they did prove to be practical it would merely create the
currently missing imperative for DNSSEC deployment - not a bad thing
in itself.
However there is no upgrade path to installing DNSSEC as a way to
fixing the problem, because DNSSEC has a version rollback attack. An
attacker can trick a DNSSEC client into thinking the DNSSEC server is
just a DNS server. Even worse it's the same pattern of attack that
makes RMX vulnerable to DNS attacks.
To fix it you'd have to fully deploy DNSSEC and _disable_ DNS. This
is likely a problem as hard as fixing spam, as it's of similar order
to replacing SMTP as a protocol with a cut-off date.
On top of that DNSSEC presumes a PKI, which as we've seen over the
last 5 years is a hard thing to deploy in and of itself.
Adam
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg