Shane Kerr wrote: >>If you mean COM zone, it is not necessary to inject any data into >>the zone. >>You, instead, can inject a forged certificate into some cache used >>by your victim. > You said transport security can help. How can it in this case? With plain old DNS, zone administrators have to make master zone files secure not to include forged data. Other administrators take care of transport security, for example, to make port numbers randomized, which makes plain old DNS reasonably secure. With DNSSEC, however, a new administration mechanism to generate signatures is mandated, which is NOT automagically secure and introduces new administrative security holes. Thus, even if master zone files are administrated as secure as plain old DNS administration, the signature generation mechanisms may be hacked. Unlike forgery on master zone files, which is published and detected by periodic checking by thid parties, attack by unpublished forged signature will not be noticed until a victim is attacked, the victim noticed the (resulting loss by successful) attack and the victim has sufficient knowledge on DNSSEC. Still, the victim may be protected, if the victim can not be injected forged signature through transport. > Also, how can you create a forged certificate? By attacking signature generation mechanisms, which is a security hole specific to DNSSEC not shared by plain old DNS. Note that DNSSEC does not give any cryptographical protection against attacks on the signature generation mechanisms. Masataka Ohta _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf