ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Historic Moment - Root zone of the Internet was just signed minutes ago!!!

2010-07-22 09:55:25
from [Phillip Hallam-Baker] [Permanent Link] 
What Mark is saying here is that DNSSEC is not designed to provide
very much security and so does not need to be very secure.

What I am saying is that people are already assuming that DNSSEC
provides a very much higher standard of security and that this is
going to lead to new security failures. Remember that an initial
response to the Kaminsky attack from at least one vendor was that DNS
was designed to be vulnerable to cache poisoning.


I see three options

1) Cancel DNSSEC

Not happening, move on.

2) Educate people so that they understand exactly what security DNSSEC
is going to provide.

Good luck with that one. People will do silly things, ignore all the
warning labels and then blame the protocol. There is a real risk that
some will sue. And telling people that DNSSEC is not going to secure
the Internet is not going to be very easy while Vint Cerf is out there
telling people that it is.

3) Design a DNSSEC 2.0 that meets the expectations.

Which is I think a lot easier than it may appear.


On Wed, Jul 21, 2010 at 9:04 PM, Masataka Ohta
<mohta(_at_)necom830(_dot_)hpcl(_dot_)titech(_dot_)ac(_dot_)jp> wrote:

Mark Andrews wrote:


If there is going to be an unbroken chain of trust then at some point
there has to be a point where the registry signs the domain owner key
and it is damned obvious that that is the potential weak link in the
chain. I don't want to be more specific that that because I know from
previous interactions that if I try to be precise the response will be
to try to distract with irrelevant nitpicking.


Any chain is breakable by MitM attacks on its intermediate links.


Yes adding data to the parent zone requires secure authenticated
communication.  DS however are no diffent to NS.  Both require the
same level of authentication.  Yes it is subject to potential social
engineering attacks.


That's how DNSSEC is not secure end to end and only as secure as
plain old DNS (assuming both are properly implemented, though
proper implementation of DNSSEC should be a lot more complex
and, thus, difficult, if not impossible, than plain old DNS).

The end to end security can be established only by sharing a security
information directly and securely by ends without any intermediate
entities such as CAs.

                                               Masataka Ohta
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf





-- 
Website: http://hallambaker.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IETF privacy policy - still a bad idea, Phillip Hallam-Baker
Next by Date:  Re: Question - Can DNSSEC be operated in a manner which meets Khaled mandates?, Phillip Hallam-Baker
Previous by Thread:  Re: Historic Moment - Root zone of the Internet was just signed minutes ago!!!, Masataka Ohta
Next by Thread:  Re: Historic Moment - Root zone of the Internet was just signed minutes ago!!!, Masataka Ohta
Indexes:  [Date] [Thread] [Top] [All Lists]