Re: DNSSEC is NOT secure end to end

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Christian Huitema wrote:

>>That is, security of DNSSEC involves third parties and is not end
>>to end.

> That is indeed correct. An attacker can build a fake hierarchy of
> "secure DNS" assertions and try to get it accepted. The attack can
> succeed with the complicity of one of the authorities in the
> hierarchy. It is a classic "attack by a trusted party".

Yes, the hierarchy has hops.

For my domain: "necom830.hpcl.titech.ac.jp", hierarechy of zones
have hops of ".", "jp", "ac.jp", "titech.ac.jp" and
"hpcl.titech.ac.jp". The authority hops are IANA, JPNIC, my
university, and my lab. Though you may have direct relationship
with IANA, JPNIC is the third party for both you and me.

> If an intermediate authority has
> been compromised, it can just as well insert a fake NS record --
> that's not harder than a fake record signature.

So, with a compromised hop of an intermediate authority, record
signature on the faked next hop key can be generated.

Then, with a private key corresponding to the faked next hop key,
record signature on the faked second next hop key can be generated.

Then, with a private key corresponding to the faked second next
hop key, record signature on the faked third next hop key can be
generated.

Yes, security of DNSSEC is totally hop by hop.

							Masataka Ohta

_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]