ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] DNSSEC is NOT secure end to end

2009-06-01 10:31:02
from [Christian Huitema] [Permanent Link] 
That is, security of DNSSEC involves third parties and is not end
to end.


That is indeed correct. An attacker can build a fake hierarchy of "secure DNS" 
assertions and try to get it accepted. The attack can succeed with the 
complicity of one of the authorities in the hierarchy. It is a classic "attack 
by a trusted party".

Problem is, hop-by-hop security will not protect against an attack by an 
intermediate authority. If an intermediate authority has been compromised, it 
can just as well insert a fake NS record -- that's not harder than a fake 
record signature. Hop-by-hop security will securely connect to the wrong name 
server, to which the wrong NS record points...

-- Christian Huitema


_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DNSSEC is NOT secure end to end, Joe Baptista
Next by Date:  Re: Last Call: draft-housley-iesg-rfc3932bis (IESG Procedures for Handling of Independent and IRTF Stream Submissions) to BCP, Jari Arkko
Previous by Thread:  Re: DNSSEC is NOT secure end to end, Joe Baptista
Next by Thread:  Re: DNSSEC is NOT secure end to end, Masataka Ohta
Indexes:  [Date] [Thread] [Top] [All Lists]