Re: DNSSEC is NOT secure end to end (more tutorial than debating)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Richard Barnes wrote:

This debate has nothing to do with the security properties of DNSSEC.

A basic assumption of the DNS is that what the authoritative server for zone says is, well, authoritative. The structure of DNS itself entitles JPNIC to point ac.jp wherever they want; by using a name within the .jp domain, you are agreeing to act within JPNIC's domain of control. JPNIC could set up an authoritative server for hpcl.titech.ac.jp completely independently of you, regardless of DNSSEC, and from the perspective of the DNS, that would be the right answer.


I guess what Masataka was referring to is a different source of variance, i.e. an impersonation of JPNIC's authority over its domain of control (using a compromised JPNIC's private key).

All DNSSEC does is make the assertions made in the DNS reliable -- it does nothing to change the locus of control.


Reliable through a chain fo digital signatures. Reliable to the extent an impersonation attack (on the locus of control) does not occur based on a compromised private signature key.

On the other hand, you can certainly use the DNSSEC protocol elements to do peer-to-peer security, just like you can use private DNS servers, and just like you can use TLS without trust anchors (i.e., with self-signed certs). Just hand out the public half of your ZSK to people you want to be able to verify names within your zone.


Then you reduce the chain of digital signatures to a single one, raising confidence level at the cost of more key management hindrance.

Indeed, this thread seems to be another attempt to understand the basic DNSSEC properties.

- Thierry

--Richard


_______________________________________________

Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]