IETF Logo Mail Archive

Re: [Asrg] DNSSEC is NOT secure end to end

Paul Wouters <paul@xelerance.com> Fri, 05 June 2009 17:06 UTC

Return-Path: <paul@xelerance.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C46423A6E1C for <asrg@core3.amsl.com>; Fri, 5 Jun 2009 10:06:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uf6HDWGc1sMH for <asrg@core3.amsl.com>; Fri, 5 Jun 2009 10:06:06 -0700 (PDT)
Received: from newtla.xelerance.com (newtla.xelerance.com [193.110.157.143]) by core3.amsl.com (Postfix) with ESMTP id 6A2303A6E0E for <asrg@irtf.org>; Fri, 5 Jun 2009 10:06:06 -0700 (PDT)
Received: from tla.xelerance.com (tla.xelerance.com [193.110.157.130]) by newtla.xelerance.com (Postfix) with ESMTP id 5AEC9C5C7; Fri, 5 Jun 2009 12:44:53 -0400 (EDT)
Date: Fri, 05 Jun 2009 12:44:52 -0400
From: Paul Wouters <paul@xelerance.com>
To: Christian Huitema <huitema@windows.microsoft.com>
In-Reply-To: <8EFB68EAE061884A8517F2A755E8B60A1EF83F8A38@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
Message-ID: <alpine.LFD.1.10.0906051242540.546@newtla.xelerance.com>
References: <200905302032.n4UKVxaZ048822@givry.fdupont.fr> <4A21C0CB.8070409@necom830.hpcl.titech.ac.jp> <8EFB68EAE061884A8517F2A755E8B60A1EF83F8661@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> <4A252B54.6020508@necom830.hpcl.titech.ac.jp> <4A253289.3020000@connotech.com> <8EFB68EAE061884A8517F2A755E8B60A1EF83F8A38@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Mailman-Approved-At: Fri, 05 Jun 2009 11:31:06 -0700
Cc: Anti-Spam@core3.amsl.com, IRTF <asrg@irtf.org>, "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: [Asrg] DNSSEC is NOT secure end to end
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2009 17:06:11 -0000

On Wed, 3 Jun 2009, Christian Huitema wrote:

> Also, it is actually possible to improve on DNSSEC by introducing additional knowledge. If two domains have an establish relation, their servers can memorize the relevant public keys. If a host has a relation with a domain, it can memorize that domain's public key. This kind of "peer-to-peer" improvement makes the domain-to-domain or host-to-domain DNSSEC service immune to attacks by nodes higher in the hierarchy.

How do you handle key changes? How do you determine if the key change
is performed by the domain holder or an attacker?

There is no reason for such a "leap of faith" caching. In fact, with
SSHFP records, we can also nail down that leap of faith for ssh finally :)

Paul

v2.23.0 | Report a Bug | By Email