IETF Logo Mail Archive

Re: [dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)

"Wiley, Glen" <gwiley@verisign.com> Wed, 30 July 2014 12:49 UTC

Return-Path: <gwiley@verisign.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1C261A0029 for <dane@ietfa.amsl.com>; Wed, 30 Jul 2014 05:49:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zeCIqvYvc1gL for <dane@ietfa.amsl.com>; Wed, 30 Jul 2014 05:49:32 -0700 (PDT)
Received: from exprod6og109.obsmtp.com (exprod6og109.obsmtp.com [64.18.1.23]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBBCD1A0021 for <dane@ietf.org>; Wed, 30 Jul 2014 05:49:28 -0700 (PDT)
Received: from osprey.verisign.com ([216.168.239.75]) (using TLSv1) by exprod6ob109.postini.com ([64.18.5.12]) with SMTP ID DSNKU9jp2HTPPmjfwGwxLi7nY3v2IABhujDp@postini.com; Wed, 30 Jul 2014 05:49:32 PDT
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01.vcorp.ad.vrsn.com [10.173.152.255]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id s6UCnR19020394 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 30 Jul 2014 08:49:27 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Wed, 30 Jul 2014 08:49:27 -0400
From: "Wiley, Glen" <gwiley@verisign.com>
To: Rene Bartsch <ietf@bartschnet.de>, "dane@ietf.org" <dane@ietf.org>
Thread-Topic: [dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)
Thread-Index: AQHPq98tcnfsFPnAA0Gg95Mp3u8nAJu4kaIA
Date: Wed, 30 Jul 2014 12:49:26 +0000
Message-ID: <CFFE5FC9.4D653%gwiley@verisign.com>
References: <1d002b9795bf8f9946f1375fef78abd6@triangulum.uberspace.de> <alpine.LFD.2.10.1407280941250.30319@bofh.nohats.ca> <e2a23385d5698a1022b201915817ed40@triangulum.uberspace.de> <1B773935-7CE3-4507-A196-EAC4D7B21C5F@ogud.com> <0af38c6c3987f9537d16a7c20f517665@triangulum.uberspace.de>
In-Reply-To: <0af38c6c3987f9537d16a7c20f517665@triangulum.uberspace.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.3.140616
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <062BDC1903A76643AB6959A1435B6C32@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/jeYRxybGxcaog-cs6fpKg1_HCAk
Subject: Re: [dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 12:49:34 -0000

Renne,

While it is technically true that the holder of the trust anchor could
alter key material it would be impossible to accomplish unnoticed.  In
order for a trust anchor to change your zone (say by changing an A record)
they would have to create a new private key (and corresponding public key)
then sign the altered RR set.

Your DNS key signing and zone signing keys should be protected with as
much diligence as your private signing and encryption keys.

It is as though a locksmith would have to change the locks on a house in
order to open the door.  Sure they can do it but the homeowner will notice
immediately when their keys no longer work.  My analogy breaks down if you
take it too far, but I hope it conveys the point.

I am far more worried about vectors that can be leveraged passively and
unobtrusively.

I agree that we should be open about DNSSEC/DANE however the holder of the
trust anchor can not manipulate the DNS without being detected.
-- 
Glen Wiley
KK4SFV

Sr. Engineer
The Hive, Verisign, Inc.




On 7/30/14 6:15 AM, "Rene Bartsch" <ietf@bartschnet.de> wrote:

>Two years ago I would have thought the same. But today we are far beyond
>conspiracy theories. We are facing the biggest coordinated hacker attack
>in history of the internet. After what we've learned in the last year
>the US government has abused the trust of billions of internet users to
>gain control over the internet. We have no clue what other governments
>and intelligence angencies have done or might do. The former director of
>the austrian intelligence agency expects a lot of new disclosures in the
>next half year. Internet users worldwide are furious about the
>situation.
>
>If we sell DANE as magic bullet without mentioning the trust anchor can
>manipulate the whole DNSSEC system and who the trust anchor is users
>will trust DANE blindly. If the trust anchor abuses control over DNSSEC
>this will blow up right into our face and harm the reputation of the
>IETF.
>
>In my opinion we should mention the identity of the DNSSEC trust anchor
>in security considerations and we should mention the DNSSEC trust anchor
>has the possibility to manipulate the whole DNSSEC system.
>
>Regards,
>
>Renne
>
>
>Am 2014-07-28 19:12, schrieb Olafur Gudmundsson:
>> <chair-hat>
>> This discussion is off topic.
>> DANE is about how to leverage DNSSEC by applications and conspiracy
>> theories are not within our charter.
>> 
>> Anyone that does not trust DNSSEC operations is free to ignore
>> distribution of OPENPGP keys via DNS, and continue to
>> use the web of trust.
>> </char-hat>
>> 
>> 	Olafur
>> 
>> On Jul 28, 2014, at 10:59 AM, Rene Bartsch <ml@bartschnet.de> wrote:
>> 
>>> Maybe I misunderstood draft-zhang-ct-dnssec-trans-00 but I do not see
>>> how it would help. Consider the following case:
>>> 
>>> (Forced by secret US law) The IANA secretly hands over the current
>>> private key of the DNSSEC trust anchor to a US government agency which
>>> uses the private key to sign forged zones and feeds them to DNS
>>> resolvers. That way US government agencies would be able to manipulate
>>> any DNS record including OpenPGP while users would be lulled in a
>>> false sense of security.
>>> 
>>> In case I didn't miss any super-security feature users should be aware
>>> of that fact.
>>> 
>>> Am 2014-07-28 15:52, schrieb Paul Wouters:
>>>>> 3. Security considerations: The IANA has control over the DNSSEC
>>>>> root keys. As the IANA is bound to US law, US government agencies
>>>>> probably have access to the DNSSEC root keys and are capable to
>>>>> manipulate the OpenPGP keys signed with DNSSEC.
>>>> There is currently a first attempt at specifying transparancy for
>>>> DNSSEC for those who want to audit/track the DNSSEC root or parent
>>>> domain holders:
>>>> http://tools.ietf.org/html/draft-zhang-ct-dnssec-trans-00
>>>> Paul
>>> 
>>> --
>>> Best regards,
>>> 
>>> Renne
>>> 
>>> _______________________________________________
>>> dane mailing list
>>> dane@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dane
>
>-- 
>Best regards,
>
>Rene Bartsch, B. Sc. Informatics
>
>_______________________________________________
>dane mailing list
>dane@ietf.org
>https://www.ietf.org/mailman/listinfo/dane

v2.23.0 | Report a Bug | By Email