Re: [dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)
Mark Andrews <marka@isc.org> Wed, 30 July 2014 13:21 UTC
Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 403491A0046 for <dane@ietfa.amsl.com>; Wed, 30 Jul 2014 06:21:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZckGs-gmd15k for <dane@ietfa.amsl.com>; Wed, 30 Jul 2014 06:21:20 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE32F1A0053 for <dane@ietf.org>; Wed, 30 Jul 2014 06:21:16 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 8E0671FCB4C; Wed, 30 Jul 2014 13:21:09 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 50E97160066; Wed, 30 Jul 2014 13:30:54 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 1FD97160051; Wed, 30 Jul 2014 13:30:54 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 432C11B1536F; Wed, 30 Jul 2014 23:21:06 +1000 (EST)
To: "Wiley, Glen" <gwiley@verisign.com>
From: Mark Andrews <marka@isc.org>
References: <1d002b9795bf8f9946f1375fef78abd6@triangulum.uberspace.de> <alpine.LFD.2.10.1407280941250.30319@bofh.nohats.ca> <e2a23385d5698a1022b201915817ed40@triangulum.uberspace.de> <1B773935-7CE3-4507-A196-EAC4D7B21C5F@ogud.com> <0af38c6c3987f9537d16a7c20f517665@triangulum.uberspace.de> <CFFE5FC9.4D653%gwiley@verisign.com>
In-reply-to: Your message of "Wed, 30 Jul 2014 12:49:26 +0000." <CFFE5FC9.4D653%gwiley@verisign.com>
Date: Wed, 30 Jul 2014 23:21:06 +1000
Message-Id: <20140730132106.432C11B1536F@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/ShKoJK3e_mxNRZq3MSaBXgE8LQ8
Cc: "dane@ietf.org" <dane@ietf.org>
Subject: Re: [dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 13:21:22 -0000
In message <CFFE5FC9.4D653%gwiley@verisign.com>, "Wiley, Glen" writes: > Renne, > > While it is technically true that the holder of the trust anchor could > alter key material it would be impossible to accomplish unnoticed. In > order for a trust anchor to change your zone (say by changing an A record) > they would have to create a new private key (and corresponding public key) > then sign the altered RR set. > > Your DNS key signing and zone signing keys should be protected with as > much diligence as your private signing and encryption keys. > > It is as though a locksmith would have to change the locks on a house in > order to open the door. Sure they can do it but the homeowner will notice > immediately when their keys no longer work. My analogy breaks down if you > take it too far, but I hope it conveys the point. > > I am far more worried about vectors that can be leveraged passively and > unobtrusively. > > I agree that we should be open about DNSSEC/DANE however the holder of the > trust anchor can not manipulate the DNS without being detected. If one can intecept the packets one could fake up a world view. This would be detectable if you have trust anchors for the parts of the world being faked. If one can't intercept the packets it will be almost certainly be detected. Maintaining a set trust anchors for all the TLD's would defeat most of the threat. A state agency would have to compromise multiple tlds to pull this off not just the root. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [dane] Comments on draft-wouters-dane-openpgp-02 Rene Bartsch
- Re: [dane] Comments on draft-wouters-dane-openpgp… Paul Wouters
- Re: [dane] Comments on draft-wouters-dane-openpgp… Paul Wouters
- Re: [dane] Comments on draft-wouters-dane-openpgp… Martin Rex
- [dane] Manipulation of DNSSEC by US government po… Rene Bartsch
- Re: [dane] Comments on draft-wouters-dane-openpgp… Viktor Dukhovni
- Re: [dane] Manipulation of DNSSEC by US governmen… Paul Wouters
- Re: [dane] Manipulation of DNSSEC by US governmen… Nico Williams
- Re: [dane] Manipulation of DNSSEC by US governmen… Olafur Gudmundsson
- Re: [dane] Manipulation of DNSSEC by US governmen… Rene Bartsch
- Re: [dane] Manipulation of DNSSEC by US governmen… Wiley, Glen
- Re: [dane] Manipulation of DNSSEC by US governmen… Mark Andrews
- Re: [dane] Manipulation of DNSSEC by US governmen… Rene Bartsch
- Re: [dane] Manipulation of DNSSEC by US governmen… Mark Andrews
- Re: [dane] Manipulation of DNSSEC by US governmen… Paul Wouters
- Re: [dane] Manipulation of DNSSEC by US governmen… Rene Bartsch
- Re: [dane] Manipulation of DNSSEC by US governmen… John Gilmore
- Re: [dane] Manipulation of DNSSEC by US governmen… Paul Wouters
- Re: [dane] Manipulation of DNSSEC by US governmen… Stephen Kent
- Re: [dane] Manipulation of DNSSEC by US governmen… Nico Williams