[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)

To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Subject: Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
From: Mark Andrews <Mark_Andrews@isc.org>
Date: Thu, 07 Dec 2006 08:36:04 +1100
Cc: Alex Bligh <alex@alex.org.uk>, "Hallam-Baker, Phillip" <pbaker@verisign.com>, shane_kerr@isc.org, Ralph Droms <rdroms@cisco.com>, namedroppers@ops.ietf.org
Delivery-date: Wed, 06 Dec 2006 21:38:38 +0000
Envelope-to: namedroppers-data@psg.com

> Alex Bligh wrote:
> 
> >> That's a big surprise, because DNSSEC is not a protection against
> >> most, if not all, of attacks, even when zone administrators are
> >> not compromised, which is as easy as compromising ISPs.
> 
> > Specifically, DNSSEC is a protection against injection / MITM attacks.
> 
> A man working for zone administrators can be the MITM, just as a
> man woking for ISPs can be the MITM.
> 
> > The alternative rational argument is to say "leave DNS insecure,
> 
> Properly implemented and operated plain DNS is secure.
> 
> Properly implemented and operated plain DNS is just as secure
> as properly implemented and operated DNSSEC.
> 
> Both are weakly secure.
> 
> Of course, improperly implemented or operated DNSSEC is less secure
> than properly implemented and operated plain DNS.
> 
> > solve it all at a higher level, for each protocol,
> > based on certificates etc., and
> 
> PKI is weakly secure.
> 
> You can enjoy cryptographic security only when you directly share
> secret information with your peer. Security does cost.
> 
> 						Masataka Ohta

	Sure humans could inject data in the pre-sign stage of any
	of the parents.  This in no different to the occassional
	bogus NS RRsets that get added to parents today.  I don't
	think anyone that knows anything about security would say
	that this can't happen.  In fact this is the weakest part
	of DNSSEC.

	On the other has these are rare events compared to the the
	attack senarios DNSSEC is designed to protect against.
	i.e.  spoofed responses.

	Now for most zones there are two or three parent zones
	that you need to worry about.  For those that I've seen
	DNSSEC operational plans for I believe them to be secure
	against the DNS server machines being compromised.  At
	worst it results in a DoS attack on the root.

	I believe the root can be secured against all but compromised
	personel.  The root zone is small enough that all data to
	be entered can be transfered by hand.  There is also a small
	enough number of child zones that in person transfers of DS
	records will be possible and/or electronic transfers with
	backup human to human verification will be possible.

	For COM, COM.AU etc. we are going to have to trust that the
	registration system won't be compromised.  I'm not worried
	about the DNS servers themselves being compromised as all
	it lead to is a DoS.

	AU, UK and other small TLD's are in a similar situation to
	the root zone in that it could all be done by hand verification.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: Re: SO vs DNSSEC
Next by Date: Re: SO vs DNSSEC
Previous by thread: Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
Next by thread: Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
Index(es):
- Date
- Thread