Nico Williams <nico@xxxxxxxxxxxxxxxx> wrote: > > Mitigations for PKI's compromised-issuer MITM vulnerability: > > - Strong naming constraints > > Check! The most important mitigation is already there. DNSSEC has > and necessarily had to have strong naming constraints from the get > go. Sort-of related to this is the concept of delegation-only zones. If you get a signature for www.example.dodgy from the .dodgy keys rather than the example.dodgy keys, you know something is not right. DNSSEC can sometimes spot this if the validator has previously cached the zone cut. The idea of enforcing delegation-only zones is somewhat contentious and it causes interoperability problems in practice - and AFAIK the existing delegation-only code only constrains resolution not validation. (Historical note: I believe early versions of DNSSEC did not have such strong coupling between the naming hierarchy and the signing hierarchy. See RFC 3008.) Tony. -- f.anthony.n.finch <dot@xxxxxxxx> http://dotat.at/ Thames: Variable 3, becoming east 4 or 5. Slight, occasionally moderate later. Rain later. Good, occasionally poor later.