What Mark is saying here is that DNSSEC is not designed to provide very much security and so does not need to be very secure. What I am saying is that people are already assuming that DNSSEC provides a very much higher standard of security and that this is going to lead to new security failures. Remember that an initial response to the Kaminsky attack from at least one vendor was that DNS was designed to be vulnerable to cache poisoning. I see three options 1) Cancel DNSSEC Not happening, move on. 2) Educate people so that they understand exactly what security DNSSEC is going to provide. Good luck with that one. People will do silly things, ignore all the warning labels and then blame the protocol. There is a real risk that some will sue. And telling people that DNSSEC is not going to secure the Internet is not going to be very easy while Vint Cerf is out there telling people that it is. 3) Design a DNSSEC 2.0 that meets the expectations. Which is I think a lot easier than it may appear. On Wed, Jul 21, 2010 at 9:04 PM, Masataka Ohta <mohta@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > Mark Andrews wrote: > >>> If there is going to be an unbroken chain of trust then at some point >>> there has to be a point where the registry signs the domain owner key >>> and it is damned obvious that that is the potential weak link in the >>> chain. I don't want to be more specific that that because I know from >>> previous interactions that if I try to be precise the response will be >>> to try to distract with irrelevant nitpicking. > > Any chain is breakable by MitM attacks on its intermediate links. > >> Yes adding data to the parent zone requires secure authenticated >> communication. DS however are no diffent to NS. Both require the >> same level of authentication. Yes it is subject to potential social >> engineering attacks. > > That's how DNSSEC is not secure end to end and only as secure as > plain old DNS (assuming both are properly implemented, though > proper implementation of DNSSEC should be a lot more complex > and, thus, difficult, if not impossible, than plain old DNS). > > The end to end security can be established only by sharing a security > information directly and securely by ends without any intermediate > entities such as CAs. > > Masataka Ohta > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf > -- Website: http://hallambaker.com/ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf