IETF Logo Mail Archive

Re: [dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)

Rene Bartsch <ietf@bartschnet.de> Wed, 30 July 2014 10:15 UTC

Return-Path: <ietf@bartschnet.de>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E3D91A034B for <dane@ietfa.amsl.com>; Wed, 30 Jul 2014 03:15:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.149
X-Spam-Level: *
X-Spam-Status: No, score=1.149 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YQZZU6F0xWhd for <dane@ietfa.amsl.com>; Wed, 30 Jul 2014 03:15:14 -0700 (PDT)
Received: from triangulum.uberspace.de (triangulum.uberspace.de [95.143.172.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D2FE1A0218 for <dane@ietf.org>; Wed, 30 Jul 2014 03:15:13 -0700 (PDT)
Received: (qmail 26803 invoked from network); 30 Jul 2014 10:15:10 -0000
Received: from localhost (HELO www.bartschnet.de) (127.0.0.1) by triangulum.uberspace.de with SMTP; 30 Jul 2014 10:15:10 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Wed, 30 Jul 2014 12:15:08 +0200
From: Rene Bartsch <ietf@bartschnet.de>
To: dane@ietf.org
In-Reply-To: <1B773935-7CE3-4507-A196-EAC4D7B21C5F@ogud.com>
References: <1d002b9795bf8f9946f1375fef78abd6@triangulum.uberspace.de> <alpine.LFD.2.10.1407280941250.30319@bofh.nohats.ca> <e2a23385d5698a1022b201915817ed40@triangulum.uberspace.de> <1B773935-7CE3-4507-A196-EAC4D7B21C5F@ogud.com>
Message-ID: <0af38c6c3987f9537d16a7c20f517665@triangulum.uberspace.de>
X-Sender: ietf@bartschnet.de
User-Agent: Roundcube Webmail/1.0.1
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/3XEGfSTTDTzAQZejlCCJlDY6aeI
Subject: Re: [dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 10:15:15 -0000

Two years ago I would have thought the same. But today we are far beyond 
conspiracy theories. We are facing the biggest coordinated hacker attack 
in history of the internet. After what we've learned in the last year 
the US government has abused the trust of billions of internet users to 
gain control over the internet. We have no clue what other governments 
and intelligence angencies have done or might do. The former director of 
the austrian intelligence agency expects a lot of new disclosures in the 
next half year. Internet users worldwide are furious about the 
situation.

If we sell DANE as magic bullet without mentioning the trust anchor can 
manipulate the whole DNSSEC system and who the trust anchor is users 
will trust DANE blindly. If the trust anchor abuses control over DNSSEC 
this will blow up right into our face and harm the reputation of the 
IETF.

In my opinion we should mention the identity of the DNSSEC trust anchor 
in security considerations and we should mention the DNSSEC trust anchor 
has the possibility to manipulate the whole DNSSEC system.

Regards,

Renne


Am 2014-07-28 19:12, schrieb Olafur Gudmundsson:
> <chair-hat>
> This discussion is off topic.
> DANE is about how to leverage DNSSEC by applications and conspiracy
> theories are not within our charter.
> 
> Anyone that does not trust DNSSEC operations is free to ignore
> distribution of OPENPGP keys via DNS, and continue to
> use the web of trust.
> </char-hat>
> 
> 	Olafur
> 
> On Jul 28, 2014, at 10:59 AM, Rene Bartsch <ml@bartschnet.de> wrote:
> 
>> Maybe I misunderstood draft-zhang-ct-dnssec-trans-00 but I do not see 
>> how it would help. Consider the following case:
>> 
>> (Forced by secret US law) The IANA secretly hands over the current 
>> private key of the DNSSEC trust anchor to a US government agency which 
>> uses the private key to sign forged zones and feeds them to DNS 
>> resolvers. That way US government agencies would be able to manipulate 
>> any DNS record including OpenPGP while users would be lulled in a 
>> false sense of security.
>> 
>> In case I didn't miss any super-security feature users should be aware 
>> of that fact.
>> 
>> Am 2014-07-28 15:52, schrieb Paul Wouters:
>>>> 3. Security considerations: The IANA has control over the DNSSEC 
>>>> root keys. As the IANA is bound to US law, US government agencies 
>>>> probably have access to the DNSSEC root keys and are capable to 
>>>> manipulate the OpenPGP keys signed with DNSSEC.
>>> There is currently a first attempt at specifying transparancy for
>>> DNSSEC for those who want to audit/track the DNSSEC root or parent
>>> domain holders:
>>> http://tools.ietf.org/html/draft-zhang-ct-dnssec-trans-00
>>> Paul
>> 
>> --
>> Best regards,
>> 
>> Renne
>> 
>> _______________________________________________
>> dane mailing list
>> dane@ietf.org
>> https://www.ietf.org/mailman/listinfo/dane

-- 
Best regards,

Rene Bartsch, B. Sc. Informatics

v2.23.0 | Report a Bug | By Email