Re: Historic Moment - Root zone of the Internet was just signed minutes ago!!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



What Mark is saying here is that DNSSEC is not designed to provide
very much security and so does not need to be very secure.

What I am saying is that people are already assuming that DNSSEC
provides a very much higher standard of security and that this is
going to lead to new security failures. Remember that an initial
response to the Kaminsky attack from at least one vendor was that DNS
was designed to be vulnerable to cache poisoning.


I see three options

1) Cancel DNSSEC

Not happening, move on.

2) Educate people so that they understand exactly what security DNSSEC
is going to provide.

Good luck with that one. People will do silly things, ignore all the
warning labels and then blame the protocol. There is a real risk that
some will sue. And telling people that DNSSEC is not going to secure
the Internet is not going to be very easy while Vint Cerf is out there
telling people that it is.

3) Design a DNSSEC 2.0 that meets the expectations.

Which is I think a lot easier than it may appear.


On Wed, Jul 21, 2010 at 9:04 PM, Masataka Ohta
<mohta@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> Mark Andrews wrote:
>
>>> If there is going to be an unbroken chain of trust then at some point
>>> there has to be a point where the registry signs the domain owner key
>>> and it is damned obvious that that is the potential weak link in the
>>> chain. I don't want to be more specific that that because I know from
>>> previous interactions that if I try to be precise the response will be
>>> to try to distract with irrelevant nitpicking.
>
> Any chain is breakable by MitM attacks on its intermediate links.
>
>> Yes adding data to the parent zone requires secure authenticated
>> communication.  DS however are no diffent to NS.  Both require the
>> same level of authentication.  Yes it is subject to potential social
>> engineering attacks.
>
> That's how DNSSEC is not secure end to end and only as secure as
> plain old DNS (assuming both are properly implemented, though
> proper implementation of DNSSEC should be a lot more complex
> and, thus, difficult, if not impossible, than plain old DNS).
>
> The end to end security can be established only by sharing a security
> information directly and securely by ends without any intermediate
> entities such as CAs.
>
>                                                Masataka Ohta
> _______________________________________________
> Ietf mailing list
> Ietf@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/ietf
>



-- 
Website: http://hallambaker.com/
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]