ietf
[Top] [All Lists]

Re: DNSSEC is NOT secure end to end

2009-06-08 08:48:02
Shane Kerr wrote:

If you mean COM zone, it is not necessary to inject any data into
the zone.

You, instead, can inject a forged certificate into some cache used
by your victim.

You said transport security can help. How can it in this case?

With plain old DNS, zone administrators have to make master
zone files secure not to include forged data.

Other administrators take care of transport security, for example,
to make port numbers randomized, which makes plain old DNS
reasonably secure.

With DNSSEC, however, a new administration mechanism to generate
signatures is mandated, which is NOT automagically secure and
introduces new administrative security holes.

Thus, even if master zone files are administrated as secure as
plain old DNS administration, the signature generation mechanisms
may be hacked.

Unlike forgery on master zone files, which is published and
detected by periodic checking by thid parties, attack by
unpublished forged signature will not be noticed until a victim
is attacked, the victim noticed the (resulting loss by successful)
attack and the victim has sufficient knowledge on DNSSEC.

Still, the victim may be protected, if the victim can not be
injected forged signature through transport.

Also, how can you create a forged certificate?

By attacking signature generation mechanisms, which is a security
hole specific to DNSSEC not shared by plain old DNS.

Note that DNSSEC does not give any cryptographical protection
against attacks on the signature generation mechanisms.

                                                Masataka Ohta

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf