Re: [dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)
"Wiley, Glen" <gwiley@verisign.com> Wed, 30 July 2014 12:49 UTC
Return-Path: <gwiley@verisign.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1C261A0029 for <dane@ietfa.amsl.com>; Wed, 30 Jul 2014 05:49:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zeCIqvYvc1gL for <dane@ietfa.amsl.com>; Wed, 30 Jul 2014 05:49:32 -0700 (PDT)
Received: from exprod6og109.obsmtp.com (exprod6og109.obsmtp.com [64.18.1.23]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBBCD1A0021 for <dane@ietf.org>; Wed, 30 Jul 2014 05:49:28 -0700 (PDT)
Received: from osprey.verisign.com ([216.168.239.75]) (using TLSv1) by exprod6ob109.postini.com ([64.18.5.12]) with SMTP ID DSNKU9jp2HTPPmjfwGwxLi7nY3v2IABhujDp@postini.com; Wed, 30 Jul 2014 05:49:32 PDT
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01.vcorp.ad.vrsn.com [10.173.152.255]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id s6UCnR19020394 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 30 Jul 2014 08:49:27 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Wed, 30 Jul 2014 08:49:27 -0400
From: "Wiley, Glen" <gwiley@verisign.com>
To: Rene Bartsch <ietf@bartschnet.de>, "dane@ietf.org" <dane@ietf.org>
Thread-Topic: [dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)
Thread-Index: AQHPq98tcnfsFPnAA0Gg95Mp3u8nAJu4kaIA
Date: Wed, 30 Jul 2014 12:49:26 +0000
Message-ID: <CFFE5FC9.4D653%gwiley@verisign.com>
References: <1d002b9795bf8f9946f1375fef78abd6@triangulum.uberspace.de> <alpine.LFD.2.10.1407280941250.30319@bofh.nohats.ca> <e2a23385d5698a1022b201915817ed40@triangulum.uberspace.de> <1B773935-7CE3-4507-A196-EAC4D7B21C5F@ogud.com> <0af38c6c3987f9537d16a7c20f517665@triangulum.uberspace.de>
In-Reply-To: <0af38c6c3987f9537d16a7c20f517665@triangulum.uberspace.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.3.140616
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <062BDC1903A76643AB6959A1435B6C32@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/jeYRxybGxcaog-cs6fpKg1_HCAk
Subject: Re: [dane] Manipulation of DNSSEC by US government possible? (was Re: Comments on draft-wouters-dane-openpgp-02)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 12:49:34 -0000
Renne, While it is technically true that the holder of the trust anchor could alter key material it would be impossible to accomplish unnoticed. In order for a trust anchor to change your zone (say by changing an A record) they would have to create a new private key (and corresponding public key) then sign the altered RR set. Your DNS key signing and zone signing keys should be protected with as much diligence as your private signing and encryption keys. It is as though a locksmith would have to change the locks on a house in order to open the door. Sure they can do it but the homeowner will notice immediately when their keys no longer work. My analogy breaks down if you take it too far, but I hope it conveys the point. I am far more worried about vectors that can be leveraged passively and unobtrusively. I agree that we should be open about DNSSEC/DANE however the holder of the trust anchor can not manipulate the DNS without being detected. -- Glen Wiley KK4SFV Sr. Engineer The Hive, Verisign, Inc. On 7/30/14 6:15 AM, "Rene Bartsch" <ietf@bartschnet.de> wrote: >Two years ago I would have thought the same. But today we are far beyond >conspiracy theories. We are facing the biggest coordinated hacker attack >in history of the internet. After what we've learned in the last year >the US government has abused the trust of billions of internet users to >gain control over the internet. We have no clue what other governments >and intelligence angencies have done or might do. The former director of >the austrian intelligence agency expects a lot of new disclosures in the >next half year. Internet users worldwide are furious about the >situation. > >If we sell DANE as magic bullet without mentioning the trust anchor can >manipulate the whole DNSSEC system and who the trust anchor is users >will trust DANE blindly. If the trust anchor abuses control over DNSSEC >this will blow up right into our face and harm the reputation of the >IETF. > >In my opinion we should mention the identity of the DNSSEC trust anchor >in security considerations and we should mention the DNSSEC trust anchor >has the possibility to manipulate the whole DNSSEC system. > >Regards, > >Renne > > >Am 2014-07-28 19:12, schrieb Olafur Gudmundsson: >> <chair-hat> >> This discussion is off topic. >> DANE is about how to leverage DNSSEC by applications and conspiracy >> theories are not within our charter. >> >> Anyone that does not trust DNSSEC operations is free to ignore >> distribution of OPENPGP keys via DNS, and continue to >> use the web of trust. >> </char-hat> >> >> Olafur >> >> On Jul 28, 2014, at 10:59 AM, Rene Bartsch <ml@bartschnet.de> wrote: >> >>> Maybe I misunderstood draft-zhang-ct-dnssec-trans-00 but I do not see >>> how it would help. Consider the following case: >>> >>> (Forced by secret US law) The IANA secretly hands over the current >>> private key of the DNSSEC trust anchor to a US government agency which >>> uses the private key to sign forged zones and feeds them to DNS >>> resolvers. That way US government agencies would be able to manipulate >>> any DNS record including OpenPGP while users would be lulled in a >>> false sense of security. >>> >>> In case I didn't miss any super-security feature users should be aware >>> of that fact. >>> >>> Am 2014-07-28 15:52, schrieb Paul Wouters: >>>>> 3. Security considerations: The IANA has control over the DNSSEC >>>>> root keys. As the IANA is bound to US law, US government agencies >>>>> probably have access to the DNSSEC root keys and are capable to >>>>> manipulate the OpenPGP keys signed with DNSSEC. >>>> There is currently a first attempt at specifying transparancy for >>>> DNSSEC for those who want to audit/track the DNSSEC root or parent >>>> domain holders: >>>> http://tools.ietf.org/html/draft-zhang-ct-dnssec-trans-00 >>>> Paul >>> >>> -- >>> Best regards, >>> >>> Renne >>> >>> _______________________________________________ >>> dane mailing list >>> dane@ietf.org >>> https://www.ietf.org/mailman/listinfo/dane > >-- >Best regards, > >Rene Bartsch, B. Sc. Informatics > >_______________________________________________ >dane mailing list >dane@ietf.org >https://www.ietf.org/mailman/listinfo/dane
- [dane] Comments on draft-wouters-dane-openpgp-02 Rene Bartsch
- Re: [dane] Comments on draft-wouters-dane-openpgp… Paul Wouters
- Re: [dane] Comments on draft-wouters-dane-openpgp… Paul Wouters
- Re: [dane] Comments on draft-wouters-dane-openpgp… Martin Rex
- [dane] Manipulation of DNSSEC by US government po… Rene Bartsch
- Re: [dane] Comments on draft-wouters-dane-openpgp… Viktor Dukhovni
- Re: [dane] Manipulation of DNSSEC by US governmen… Paul Wouters
- Re: [dane] Manipulation of DNSSEC by US governmen… Nico Williams
- Re: [dane] Manipulation of DNSSEC by US governmen… Olafur Gudmundsson
- Re: [dane] Manipulation of DNSSEC by US governmen… Rene Bartsch
- Re: [dane] Manipulation of DNSSEC by US governmen… Wiley, Glen
- Re: [dane] Manipulation of DNSSEC by US governmen… Mark Andrews
- Re: [dane] Manipulation of DNSSEC by US governmen… Rene Bartsch
- Re: [dane] Manipulation of DNSSEC by US governmen… Mark Andrews
- Re: [dane] Manipulation of DNSSEC by US governmen… Paul Wouters
- Re: [dane] Manipulation of DNSSEC by US governmen… Rene Bartsch
- Re: [dane] Manipulation of DNSSEC by US governmen… John Gilmore
- Re: [dane] Manipulation of DNSSEC by US governmen… Paul Wouters
- Re: [dane] Manipulation of DNSSEC by US governmen… Stephen Kent
- Re: [dane] Manipulation of DNSSEC by US governmen… Nico Williams