IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

"David W. Hankins" <David_Hankins@isc.org> Wed, 13 August 2008 16:44 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E673D28C0E7; Wed, 13 Aug 2008 09:44:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.355
X-Spam-Level:
X-Spam-Status: No, score=-4.355 tagged_above=-999 required=5 tests=[AWL=-0.755, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zv6ofU1vNp5H; Wed, 13 Aug 2008 09:44:14 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D6E283A67A8; Wed, 13 Aug 2008 09:44:13 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KTJOO-000LCE-6n for namedroppers-data@psg.com; Wed, 13 Aug 2008 16:40:12 +0000
Received: from [204.152.186.148] (helo=hankinsfamily.info) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <David_Hankins@isc.org>) id 1KTJNj-000L7s-52 for namedroppers@ops.ietf.org; Wed, 13 Aug 2008 16:39:34 +0000
Received: from navarre.mercenary.net (c-24-6-53-214.hsd1.ca.comcast.net [24.6.53.214]) (authenticated bits=0) by hankinsfamily.info (8.13.8/8.13.8) with ESMTP id m7DGdUss010750 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <namedroppers@ops.ietf.org>; Wed, 13 Aug 2008 09:39:30 -0700
Received: by navarre.mercenary.net (Postfix, from userid 1000) id 0ABCE7E753; Wed, 13 Aug 2008 09:39:36 -0700 (PDT)
Date: Wed, 13 Aug 2008 09:39:36 -0700
From: "David W. Hankins" <David_Hankins@isc.org>
To: namedroppers@ops.ietf.org
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Message-ID: <20080813163936.GA18651@isc.org>
References: <B5457C05-D2EA-4A31-94AB-84807AC62843@virtualized.org> <Pine.LNX.4.44.0808121535120.3680-100000@citation2.av8.net> <OF6BFCDCCD.B3B7FD05-ON802574A4.004C3FB5-802574A4.004C6A52@nominet.org.uk> <764E89A0-32D2-4555-B61C-C8B7D88EB9E1@ca.afilias.info>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <764E89A0-32D2-4555-B61C-C8B7D88EB9E1@ca.afilias.info>
User-Agent: Mutt/1.5.17 (2007-11-01)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

On Wed, Aug 13, 2008 at 11:52:14AM -0400, Joe Abley wrote:
> On 13 Aug 2008, at 09:54, Ray.Bellis@nominet.org.uk wrote:
>>> But it is not the case that your bank information can be stolen by this
>>> DNS attack, as Kaminsky seems to have told the mainstream press.
>>
>> Unless your bank used a weak cert generated on a Debian system...
>
> Or unless the authentication performed by the CA is easily subverted, 
> leading them to sell a certificate with a to-be-spoofed common name to a 
> third party.

Or even Kaminsky-subverting http://www.bank.com/ to point to a host
which produces a redirect to https://www.bankfoo.com/, which is under
the attacker's full control.

-- 
Ash bugud-gul durbatuluk agh burzum-ishi krimpatul.
Why settle for the lesser evil?	 https://secure.isc.org/store/t-shirt/
-- 
David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email