On Thu, 12 Sep 2013, Theodore Ts'o wrote:
Any co-ercing that happens has to be globally visible, if the target
ensures he is using "random" nameservers to query for data.
Not necessarily. First of all, an active attacker located close to
the target can simply replace the DNS replies with bogus records,
Not if I run DNS over TCP through tor. That's why I said "random"
servers. Are they going to after a single target by being upstream of
all the tor exit nodes? Even if they did, we should just run monitors
for our own zones that also query for that data using tor. They won't
know the difference between the monitor and their target.
signed by the registrar's key which was either coerced or stolen by
the NSA's Key "Recovery" Service. Secondly, if the web site has all
of its nameservers run by the same organization (i.e., GoDadddy's DNS
service), the nameservers could be set up to return the bogus DNS
records only to specific IP addresses or specific IP ranges.
See above.
Finally, if you think the target can try to find random caching
nameservers all across the networ to use, (a) there are certain
environments where this is not allowed --- some ISP's or hotel/coffee
shop/airline's networks require that you use their name server, and
(b) for good and proper reasons, most nameservers have been configured
not to allow recursive queries to random IP addresses.
See above. But also, you can use various open resolvers. The Fedora
Project even runs a few for dnssec-trigger that are accessable only via
TCP - I'm hoping more people will put up TCP-only open resolvers,
especially with:
https://datatracker.ietf.org/doc/draft-wouters-edns-tcp-chain-query/
Furthermore, TLDs could institute a delay mechanism with respect to
updating KSK/DS record so a compromised Registrar requesting an updated
DS won't come into effect immediately, and the Registrant has time to
react.
A delay mechanism would only work if the TLD sent a notification of a
changed KSK/DS record to the Registrant --- but would TLD have access
to the contact information for the Registrant?
Yes, the TLD runs their Registry with admin-c and tech-c contact
information.
Another method would be for the domain "lock" to get a delay of a few
hours and/or a confirmation message to the registrant if the registrar
changes the lock status.
Paul