IETF Logo Mail Archive

Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

Duane at e164 dot org <duane@e164.org> Fri, 08 August 2008 09:34 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EC10A3A6C31; Fri, 8 Aug 2008 02:34:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.48
X-Spam-Level:
X-Spam-Status: No, score=-0.48 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ztRvhwjxBuWY; Fri, 8 Aug 2008 02:34:03 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D715F3A68B3; Fri, 8 Aug 2008 02:34:02 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KROIO-000Boy-Aa for namedroppers-data@psg.com; Fri, 08 Aug 2008 09:30:04 +0000
Received: from [208.82.100.153] (helo=mail.aus-biz.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <duane@e164.org>) id 1KROII-000Bmo-14 for namedroppers@ops.ietf.org; Fri, 08 Aug 2008 09:30:00 +0000
Received: from [192.168.100.244] (dsl-48-19.qld1.net.au [125.168.48.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.aus-biz.com (Postfix) with ESMTPSA id 02762FF26C; Fri, 8 Aug 2008 19:29:55 +1000 (EST)
Message-ID: <489C1211.3030207@e164.org>
Date: Fri, 08 Aug 2008 19:29:53 +1000
From: Duane at e164 dot org <duane@e164.org>
User-Agent: Thunderbird 2.0.0.16 (X11/20080724)
MIME-Version: 1.0
To: bert hubert <bert.hubert@netherlabs.nl>
CC: sthaug@nethelp.no, denic@eng.colt.net, namedroppers@ops.ietf.org
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
References: <489BF4C8.9000309@e164.org> <B786FB32-89AB-412E-A502-1CEB9A404041@eng.colt.net> <489C0370.4080502@e164.org> <20080808.104957.74720707.sthaug@nethelp.no> <20080808085430.GC6566@outpost.ds9a.nl>
In-Reply-To: <20080808085430.GC6566@outpost.ds9a.nl>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

bert hubert wrote:
> On Fri, Aug 08, 2008 at 10:49:57AM +0200, sthaug@nethelp.no wrote:
> 
>> probability of spoofing - but as has been pointed out many times here,
>> this is not a *solution*. It mitigates the problem, it doesn't solve
>> it.
> 
> Mitigation to the point where it will take a million years is effectively a
> solution against spoofing.
> 
> People with sufficiently powerful computers could also break DNSSEC
> security. 

Or knowledge to factor asymmetric keys in a way no one else has thought
of would be able to perpetrate a DNSSEC attack much easier again.

Currently it's assumed that quantum computing would be needed to solve
this problem, however people assumed md5/sha1 didn't suffer any flaws
until it came out they were vulnerable.

Brute force is merely the slowest way to break keys, not the only way.

As for CPU hours needed to brute force keys:

http://en.wikipedia.org/wiki/RSA_Factoring_Challenge

A tad less than a million ;)

-- 

Best regards,
 Duane

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email