IETF Logo Mail Archive

Re: [Asrg] DNSSEC is NOT secure end to end (more tutorial than debating)

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Tue, 02 June 2009 23:43 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C173B3A69DB for <asrg@core3.amsl.com>; Tue, 2 Jun 2009 16:43:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.553
X-Spam-Level: *
X-Spam-Status: No, score=1.553 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_NJABL_PROXY=1.643]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tYzOdg44a-Pr for <asrg@core3.amsl.com>; Tue, 2 Jun 2009 16:43:06 -0700 (PDT)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by core3.amsl.com (Postfix) with SMTP id B13AA3A677C for <asrg@irtf.org>; Tue, 2 Jun 2009 16:43:05 -0700 (PDT)
Received: (qmail 45297 invoked from network); 3 Jun 2009 01:13:53 -0000
Received: from softbank219001188006.bbtec.net (HELO necom830.hpcl.titech.ac.jp) (219.1.188.6) by necom830.hpcl.titech.ac.jp with SMTP; 3 Jun 2009 01:13:53 -0000
Message-ID: <4A25B8EF.70203@necom830.hpcl.titech.ac.jp>
Date: Wed, 03 Jun 2009 08:42:39 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: Thierry Moreau <thierry.moreau@connotech.com>
References: <200905302032.n4UKVxaZ048822@givry.fdupont.fr> <4A21C0CB.8070409@necom830.hpcl.titech.ac.jp> <8EFB68EAE061884A8517F2A755E8B60A1EF83F8661@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> <4A252B54.6020508@necom830.hpcl.titech.ac.jp> <4A2 <4A254823.9000405@bbn.com> <4A254E82.30201@connotech.com>
In-Reply-To: <4A254E82.30201@connotech.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 03 Jun 2009 12:09:27 -0700
Cc: Christian Huitema <huitema@windows.microsoft.com>, Francis Dupont <Francis.Dupont@fdupont.fr>, "ietf@ietf.org" <ietf@ietf.org>, Richard Barnes <rbarnes@bbn.com>, Anti-Spam Research Group - IRTF <asrg@irtf.org>
Subject: Re: [Asrg] DNSSEC is NOT secure end to end (more tutorial than debating)
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2009 23:43:06 -0000

Thierry Moreau wrote:

>> (That is: You already trust the zones above you to maintain the 
>> integrity of the zone on the *server*;

> This assumption does not stand universally. For some DNS users/usage, 
> DNSSEC signature verification will be a must. The discussion implicitly 
> referred to such uses.

A problem of blindly believing a zone administration is that it is
only as secure as blindly believing an ISP administration.

Attacking a router of a large ISPs is as easy/difficult as attacking
a signature generation mechanism of a large zone.

Moreover, administration of LAN of a local organization (my universty,
for example) is as secure as administration of a zone local to the organization.

You can, for example, bribe a personnel or two, against which there
is no cryptographical protection, which means PKI is weakly secure.

						Masataka Ohta

v2.23.0 | Report a Bug | By Email