ietf
[Top] [All Lists]

Re: [DNSOP] Practical issues deploying DNSSEC into the home.

2013-09-12 15:58:22
Ted Lemon wrote:

This isn't _quite_ true.   DNSSEC supports trust anchors at
any point in the hierarchy, and indeed I think the right
 model for DNSSEC is that you would install trust anchors
for things you really care about, and manage them in the
same way that you manage your root trust anchor.   E.g.,
you'd install a trust anchor for your employer, and your
bank, and maybe your local town government.   This is
 all future UI work, of course.

Operationally, that's not practical. Users can't manage
their trust anchors securely.

Furthermore, if the root key is compromised and that is then
used to substitute a bogus key, it isn't that hard to notice
that this has happened, and indeed we ought to be
systematically noticing these things.   So hacking the root
key is certainly a valid threat, but there is a great deal
more transparency in the DNSSEC system than in the TLS PKI,
and that should mean that the system is more robust in the
face of this kind of attack.

According to your theory, we don't need DNSSEC, because
cache poisoning attacks on plain DNS is easily detectable.

                                                Masataka Ohta

<Prev in Thread] Current Thread [Next in Thread>