IETF Logo Mail Archive

Re: [Asrg] DNSSEC is NOT secure end to end

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Thu, 04 June 2009 03:35 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CC5AD3A6885 for <asrg@core3.amsl.com>; Wed, 3 Jun 2009 20:35:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.09
X-Spam-Level:
X-Spam-Status: No, score=-0.09 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E5oLOfZUkdyN for <asrg@core3.amsl.com>; Wed, 3 Jun 2009 20:35:48 -0700 (PDT)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by core3.amsl.com (Postfix) with SMTP id D02F53A6828 for <asrg@irtf.org>; Wed, 3 Jun 2009 20:35:47 -0700 (PDT)
Received: (qmail 6746 invoked from network); 4 Jun 2009 05:06:35 -0000
Received: from vaio.hpcl.titech.ac.jp (HELO necom830.hpcl.titech.ac.jp) (131.112.32.134) by necom830.hpcl.titech.ac.jp with SMTP; 4 Jun 2009 05:06:35 -0000
Message-ID: <4A2740E6.3060601@necom830.hpcl.titech.ac.jp>
Date: Thu, 04 Jun 2009 12:35:02 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: Bill Manning <bmanning@ISI.EDU>
References: <200905302032.n4UKVxaZ048822@givry.fdupont.fr> <4A21C0CB.8070409@necom830.hpcl.titech.ac.jp> <8EFB68EAE061884A8517F2A755E8B60A1EF83F8661@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> <4A252B54.6020508@necom830.hpcl.titech.ac.jp> <20090603075602.GA3945@boreas.isi.edu>
In-Reply-To: <20090603075602.GA3945@boreas.isi.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Cc: Christian Huitema <huitema@windows.microsoft.com>, Francis Dupont <Francis.Dupont@fdupont.fr>, Anti-Spam Research Group - IRTF <asrg@irtf.org>, "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: [Asrg] DNSSEC is NOT secure end to end
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2009 03:35:48 -0000

Bill Manning wrote:

> 	i think the distinction here might be characterised by 
> 	the use of terms:
> 
> 	-channel security

Don't try to confuse the terminology.

With the terminology of "channel", the paper addresses the issue
that security by channels between zones or zone administrators
depends on security of intermediate zones and is not end to end.

> 	-data integrity

Date integrity is maintained through the channels between zones
hop by hop.

> 	DNSSEC - the signing of the data, provides a means to ensure the
> 	accuracy and integrity of the data, the payload.

The problem is that the accuracy and integrity of DNSSEC is not
cryptographically but socially secure.

So is plain old DNS.

So, there is no point to deploy DNSSEC.

							Masataka Ohta

v2.23.0 | Report a Bug | By Email