Re: [Asrg] DNSSEC is NOT secure end to end

Christian Huitema <huitema@windows.microsoft.com> Sun, 31 May 2009 00:28 UTC

Return-Path: <huitema@windows.microsoft.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A434A3A684D for <asrg@core3.amsl.com>; Sat, 30 May 2009 17:28:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.576
X-Spam-Level:
X-Spam-Status: No, score=-109.576 tagged_above=-999 required=5 tests=[AWL=-0.466, BAYES_05=-1.11, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oKsX7XRyQ9aO for <asrg@core3.amsl.com>; Sat, 30 May 2009 17:28:24 -0700 (PDT)
Received: from smtp.microsoft.com (mail1.microsoft.com [131.107.115.212]) by core3.amsl.com (Postfix) with ESMTP id 871CE3A6823 for <asrg@irtf.org>; Sat, 30 May 2009 17:28:24 -0700 (PDT)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (157.54.79.180) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.2.99.4; Sat, 30 May 2009 17:29:09 -0700
Received: from TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com (157.54.71.39) by TK5EX14MLTC102.redmond.corp.microsoft.com (157.54.79.180) with Microsoft SMTP Server id 14.0.582.9; Sat, 30 May 2009 17:29:08 -0700
Received: from tk5-exmlt-w601.wingroup.windeploy.ntdev.microsoft.com (157.54.18.32) by TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com (157.54.71.39) with Microsoft SMTP Server (TLS) id 14.0.582.7; Sat, 30 May 2009 17:29:22 -0700
Received: from NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com ([fe80::8de9:51a2:cd62:f122]) by tk5-exmlt-w601.wingroup.windeploy.ntdev.microsoft.com ([157.54.18.32]) with mapi; Sat, 30 May 2009 17:29:08 -0700
From: Christian Huitema <huitema@windows.microsoft.com>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, Francis Dupont <Francis.Dupont@fdupont.fr>
Date: Sat, 30 May 2009 17:29:21 -0700
Thread-Topic: DNSSEC is NOT secure end to end
Thread-Index: Acnhf0YVYXzuOdf1TmmMvuUJhj0vmgABCE+w
Message-ID: <8EFB68EAE061884A8517F2A755E8B60A1EF83F8661@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
References: <200905302032.n4UKVxaZ048822@givry.fdupont.fr> <4A21C0CB.8070409@necom830.hpcl.titech.ac.jp>
In-Reply-To: <4A21C0CB.8070409@necom830.hpcl.titech.ac.jp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 01 Jun 2009 07:30:44 -0700
Cc: "ietf@ietf.org" <ietf@ietf.org>, Anti-Spam Research Group - IRTF <asrg@irtf.org>
Subject: Re: [Asrg] DNSSEC is NOT secure end to end
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 May 2009 07:46:47 -0000

> That is, security of DNSSEC involves third parties and is not end
> to end.

That is indeed correct. An attacker can build a fake hierarchy of "secure DNS" assertions and try to get it accepted. The attack can succeed with the complicity of one of the authorities in the hierarchy. It is a classic "attack by a trusted party".

Problem is, hop-by-hop security will not protect against an attack by an intermediate authority. If an intermediate authority has been compromised, it can just as well insert a fake NS record -- that's not harder than a fake record signature. Hop-by-hop security will securely connect to the wrong name server, to which the wrong NS record points...

-- Christian Huitema