IETF Logo Mail Archive

Re: [Asrg] DNSSEC is NOT secure end to end

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Tue, 02 June 2009 23:33 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8F6003A6A12 for <asrg@core3.amsl.com>; Tue, 2 Jun 2009 16:33:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.553
X-Spam-Level: *
X-Spam-Status: No, score=1.553 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_NJABL_PROXY=1.643]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L4UwTDeVZMNB for <asrg@core3.amsl.com>; Tue, 2 Jun 2009 16:33:15 -0700 (PDT)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by core3.amsl.com (Postfix) with SMTP id 1E7FC3A68E0 for <asrg@irtf.org>; Tue, 2 Jun 2009 16:33:15 -0700 (PDT)
Received: (qmail 44231 invoked from network); 3 Jun 2009 01:03:36 -0000
Received: from softbank219001188006.bbtec.net (HELO necom830.hpcl.titech.ac.jp) (219.1.188.6) by necom830.hpcl.titech.ac.jp with SMTP; 3 Jun 2009 01:03:36 -0000
Message-ID: <4A25B687.7070106@necom830.hpcl.titech.ac.jp>
Date: Wed, 03 Jun 2009 08:32:23 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: Thierry Moreau <thierry.moreau@connotech.com>
References: <200905302032.n4UKVxaZ048822@givry.fdupont.fr> <4A21C0CB.8070409@necom830.hpcl.titech.ac.jp> <8EFB68EAE061884A8517F2A755E8B60A1EF83F8661@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> <4A252B54.6020508@necom830.hpcl.titech.ac.jp> <4A253289.3020000@connotech.com>
In-Reply-To: <4A253289.3020000@connotech.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 03 Jun 2009 12:09:27 -0700
Cc: Christian Huitema <huitema@windows.microsoft.com>, Francis Dupont <Francis.Dupont@fdupont.fr>, Anti-Spam Research Group - IRTF <asrg@irtf.org>, "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: [Asrg] DNSSEC is NOT secure end to end
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2009 23:33:15 -0000

Thierry Moreau wrote:

>>>> That is, security of DNSSEC involves third parties and is not end
>>>> to end.

> This is exactly like a chain of PKI CA's (replacing the path from bottom 
> to top of zone hierarchy):

> Exactly the same with a compromised intermediate CA.

> Exactly the same with a private key corresponding to the next 
> intermediate CA along the chain (i.e. the one certified by the 

The paper of David Clark says PKI is not secure end to end.

Some tried to argue against by saying DNSSEC is so special that
it is secure end to end.

But, as you can observe, DNSSEC is no special and not secure end
to end.

> I don't think any DNSSEC expert ever claimed differently.

I am the DNSSEC expert and see some people having a lot less
expertise than me says DNSSEC secure end to end.

They are incorrect or using different terminology on "end to end"
not acceptable to the Internet community.

						Masataka Ohtqa

v2.23.0 | Report a Bug | By Email