IETF Logo Mail Archive

[dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)

Rene Bartsch <ml@bartschnet.de> Mon, 28 July 2014 14:59 UTC

Return-Path: <ml@bartschnet.de>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F9FA1B287D for <dane@ietfa.amsl.com>; Mon, 28 Jul 2014 07:59:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.149
X-Spam-Level: *
X-Spam-Status: No, score=1.149 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QCx-ogTRUm9y for <dane@ietfa.amsl.com>; Mon, 28 Jul 2014 07:59:13 -0700 (PDT)
Received: from triangulum.uberspace.de (triangulum.uberspace.de [95.143.172.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5376D1B2866 for <dane@ietf.org>; Mon, 28 Jul 2014 07:59:13 -0700 (PDT)
Received: (qmail 16039 invoked from network); 28 Jul 2014 14:59:10 -0000
Received: from localhost (HELO www.bartschnet.de) (127.0.0.1) by triangulum.uberspace.de with SMTP; 28 Jul 2014 14:59:10 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Mon, 28 Jul 2014 16:59:09 +0200
From: Rene Bartsch <ml@bartschnet.de>
To: dane@ietf.org
In-Reply-To: <alpine.LFD.2.10.1407280941250.30319@bofh.nohats.ca>
References: <1d002b9795bf8f9946f1375fef78abd6@triangulum.uberspace.de> <alpine.LFD.2.10.1407280941250.30319@bofh.nohats.ca>
Message-ID: <e2a23385d5698a1022b201915817ed40@triangulum.uberspace.de>
X-Sender: ml@bartschnet.de
User-Agent: Roundcube Webmail/1.0.1
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/U3Tc7HdS-34y8ZIqgy4wVswlZ3E
Subject: [dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 14:59:15 -0000

Maybe I misunderstood draft-zhang-ct-dnssec-trans-00 but I do not see 
how it would help. Consider the following case:

(Forced by secret US law) The IANA secretly hands over the current 
private key of the DNSSEC trust anchor to a US government agency which 
uses the private key to sign forged zones and feeds them to DNS 
resolvers. That way US government agencies would be able to manipulate 
any DNS record including OpenPGP while users would be lulled in a false 
sense of security.

In case I didn't miss any super-security feature users should be aware 
of that fact.

Am 2014-07-28 15:52, schrieb Paul Wouters:
>> 3. Security considerations: The IANA has control over the DNSSEC root 
>> keys. As the IANA is bound to US law, US government agencies probably 
>> have access to the DNSSEC root keys and are capable to manipulate the 
>> OpenPGP keys signed with DNSSEC.
> 
> There is currently a first attempt at specifying transparancy for
> DNSSEC for those who want to audit/track the DNSSEC root or parent
> domain holders:
> 
> http://tools.ietf.org/html/draft-zhang-ct-dnssec-trans-00
> 
> Paul

-- 
Best regards,

Renne

v2.23.0 | Report a Bug | By Email