ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf] DNS spoofing at captive portals

2010-09-27 09:41:41
from [Phillip Hallam-Baker] [Permanent Link] 
I don't see why DNSSEC makes dropping out zones impossible.

All DNSSEC does is to enable the end point to know that there is data
missing. It does not provide the end zone with any way to find the missing
data, nor is there any user interaction that makes any real sense in that
situation.

But the real answer to the problem is that the root zone signature is not
the root of trust for my DNS, it is the root of trust for the ICANN DNS.

myDNS = icannDNS - maliciousDNS


I plan to publish my root cert for my zone at the apex of my DNS zone and
establish that out-of-band as the trust anchor for every device and
application in my network.

Hosts in my network will determine that a secure DNS resolver is available
for the zone via the ESRV mechanism I recently proposed and establish a
secure tunnel with my DNS resolver via a protocol TBS, but probably based on
either the TLS handshake to establish a ticket containing all necessary
server-side state or the existing (but rather old and needing much revision)
TKEY mechanism and either TSIG or a cryptographic packaging mechanism TBS.

It would also be possible to adapt either DTLS or IPSEC. But neither of
those is well suited to use as a security wrapper for DNS for reasons I
won't go into here.


On Sun, Sep 26, 2010 at 12:26 PM, Tony Finch <dot(_at_)dotat(_dot_)at> wrote:


On 25 Sep 2010, at 01:16, John Levine <johnl(_at_)iecc(_dot_)com> wrote


Plan C: Sophisticated ISPs might configure their own DNSSEC key into
customer resolvers, and sign replacement records with that.


DNSSEC's validation model makes this basically impossible. The customer
resolvers would have to know ahead of time which names will be overridden by
their ISP and so may be validated by the extra trust anchor.

Plan D: ISPs that want to block the DNS for evil domains just return a
server failure response for the appropriate queries.

See also Paul Vixie's RPZ proposal.

Tony.
--
f.anthony.n.finch  <dot(_at_)dotat(_dot_)at>  http://dotat.at/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf





-- 
Website: http://hallambaker.com/

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf] DNS spoofing at captive portals, bmanning
Next by Date:  Re: IETF-meta (was: Fisking vs Top-Posting), Dave Cridland
Previous by Thread:  Re: [ietf] DNS spoofing at captive portals, Tony Finch
Next by Thread:  Re: [ietf] DNS spoofing at captive portals, Phillip Hallam-Baker
Indexes:  [Date] [Thread] [Top] [All Lists]