On 6 mar 2015, at 07:14, John C Klensin <john-ietf(_at_)jck(_dot_)com> wrote:
One description of
a threat model to DNS, including description of what
threats DNSSEC is intended to defend against can be found
in RFC 3833 [RFC3833].
If for example the URI resource record is not signed with
the help of DNSSEC and validated successfully, trusting the
non-signed URI might lead to a downgrade attack.
While this may be obvious to experts, the experts probably don't
need it. For everyone else, you are probably missing a
statement about interception, changes to the query or URI, and a
system that won't respond as intended to STARTTLS or equivalent.
Note, in particular, that if one started out with:
foo.example.com. IN URI 0 0 good.example.com.
and a query for that produced a response that contained
foo.example.com. IN URI 0 0 evil.example.com.
That would clearly be a problem for DNSSEC but, if both of the
hosts designated by "good" and "evil" responded to STAETTLS by
opening TLS connections at desired degrees of security, there
would be no downgrade attack, "only" a MITM host diversion
attack.
Well, I to some case disagree and I also thought that that was what Sam pointed
out...one wanted to communicate with something at foo.example.com, and if one
"normally" did use HTTP over TLS and got a 301 or 302 back, and now instead do
a similar change of target with the help of DNS, you do get something very
similar at least to a downgrade attack.
But I understand what your point is -- I claim ;-)
Patrik
signature.asc
Description: Message signed with OpenPGP using GPGMail