Re: DNSSEC is NOT secure end to end (more tutorial than debating)

ietf

Re: DNSSEC is NOT secure end to end (more tutorial than debating)

2009-06-04 19:23:51

Andrew Sullivan wrote:

Though we have to trust the zone administration put correct referral
and glue data in a master zone file, unless we use DNSSEC, we don't
have to trust the zone administration never issue certificates over
forged keys of child zones.

If an attacker can get its bogus data into the referring zone,


I never said such a thing.

I said "issue certificates over forged keys of child zones".

The attack is possible by those who have access to signature
generation mechanisms and the attack is not visible until the
false certificates are used later.

People introduced DNSSEC believing DNSSEC makes cache poisoning
not a problem, are ready to accept false certificates through
unprotected cache.

Thus, we must, anyway, protect cache.

Then, where is the point to introduce DNSSEC only to have another
possibility of security holes?

                                                Masataka Ohta

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: DNSSEC is NOT secure end to end (more tutorial than debating), (continued) Re: DNSSEC is NOT secure end to end (more tutorial than debating), Thierry Moreau Re: DNSSEC is NOT secure end to end (more tutorial than debating), Masataka Ohta Re: DNSSEC is NOT secure end to end (more tutorial than debating), Paul Wouters Re: DNSSEC is NOT secure end to end (more tutorial than debating), Mark Andrews Re: DNSSEC is NOT secure end to end (more tutorial than debating), Paul Wouters Re: DNSSEC is NOT secure end to end (more tutorial than debating), Mark Andrews Re: DNSSEC is NOT secure end to end (more tutorial than debating), Michael StJohns Re: DNSSEC is NOT secure end to end (more tutorial than debating), Mark Andrews Re: DNSSEC is NOT secure end to end (more tutorial than debating), Masataka Ohta Re: DNSSEC is NOT secure end to end (more tutorial than debating), Andrew Sullivan Re: DNSSEC is NOT secure end to end (more tutorial than debating), Masataka Ohta <= Re: DNSSEC is NOT secure end to end (more tutorial than debating), Mark Andrews Re: DNSSEC is NOT secure end to end (more tutorial than debating), Masataka Ohta DNSSEC was never designed for transport end to end security, Bill Manning DNSSEC is NOT secure end to end, Masataka Ohta Re: DNSSEC is NOT secure end to end, Shane Kerr Re: DNSSEC is NOT secure end to end, Masataka Ohta Re: DNSSEC is NOT secure end to end, Shane Kerr Re: DNSSEC is NOT secure end to end, Masataka Ohta Re: DNSSEC is NOT secure end to end, Shane Kerr Re: DNSSEC is NOT secure end to end, Masataka Ohta

Previous by Date:	Re: DNSSEC is NOT secure end to end, Masataka Ohta
Next by Date:	Re: DNSSEC is NOT secure end to end, Doug Otis
Previous by Thread:	Re: DNSSEC is NOT secure end to end (more tutorial than debating), Andrew Sullivan
Next by Thread:	Re: DNSSEC is NOT secure end to end (more tutorial than debating), Mark Andrews
Indexes:	[Date] [Thread] [Top] [All Lists]