IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

David Conrad <drc@virtualized.org> Wed, 13 August 2008 18:02 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E3DD3A67F3; Wed, 13 Aug 2008 11:02:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[AWL=0.228, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sQK6udrUBm0a; Wed, 13 Aug 2008 11:02:29 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A19DE3A63CB; Wed, 13 Aug 2008 11:02:29 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KTKbD-0002yV-O9 for namedroppers-data@psg.com; Wed, 13 Aug 2008 17:57:31 +0000
Received: from [204.152.189.190] (helo=virtualized.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <drc@virtualized.org>) id 1KTKbA-0002yA-18 for namedroppers@ops.ietf.org; Wed, 13 Aug 2008 17:57:29 +0000
Received: from [10.0.1.199] (c-71-198-3-247.hsd1.ca.comcast.net [71.198.3.247]) by virtualized.org (Postfix) with ESMTP id 757962D2BF4; Wed, 13 Aug 2008 10:57:26 -0700 (PDT)
Cc: Namedroppers WG <namedroppers@ops.ietf.org>
Message-Id: <6C901653-139A-44BB-A11C-F244712F0362@virtualized.org>
From: David Conrad <drc@virtualized.org>
To: Eric Rescorla <ekr@networkresonance.com>
In-Reply-To: <20080813161754.6E16850846@romeo.rtfm.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v928.1)
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Date: Wed, 13 Aug 2008 10:57:22 -0700
References: <B5457C05-D2EA-4A31-94AB-84807AC62843@virtualized.org> <Pine.LNX.4.44.0808121535120.3680-100000@citation2.av8.net> <20080813161754.6E16850846@romeo.rtfm.com>
X-Mailer: Apple Mail (2.928.1)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

On Aug 13, 2008, at 9:17 AM, Eric Rescorla wrote:
> At Tue, 12 Aug 2008 15:45:57 -0400 (EDT),
>>>> Only SSL can protect you here.
>>> As Dan Kaminsky points out: "SSL certs themselves are dependent on  
>>> the
>>> DNS".
>> Kaminsky is wrong.
> Based on my brief skim of Kaminsky's presentation, I think his
> argument is that because CAs often use e-mail answerback as a
> certificate validation mechanism, a compromise of DNS can be used to
> obtain a fake SSL/TLS certificate.

That is (as I understand) part of it.

> Of course, there's nothing stopping
> CAs from requesting more validation (in fact, I believe that's what EV
> certificates already do), in which case there would not be a DNS-based
> threat.

Right.  And if the CA uses VOIP that does a DNS lookup, or if the  
databases the CA uses are reached via DNS, or if the CA uses software  
that does self-updates after looking up the 'phone home' server via  
DNS, or ....

I believe what Dan was pointing out is the DNS is an underlying  
infrastructure which all sorts of other infrastructure relies upon and  
if you can crack the DNS infrastructure, lots of other stuff becomes  
much more "interesting" (in the Ebola virus sense of 'interesting'),  
sometimes in ways that aren't necessarily obvious.

Regards,
-drc


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email