IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

Paul Vixie <vixie@isc.org> Wed, 13 August 2008 17:39 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 33B0A3A6B24; Wed, 13 Aug 2008 10:39:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.341
X-Spam-Level:
X-Spam-Status: No, score=-2.341 tagged_above=-999 required=5 tests=[AWL=0.258, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2krfN6rFMeuq; Wed, 13 Aug 2008 10:39:21 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 49F663A6990; Wed, 13 Aug 2008 10:39:21 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KTKFg-0000f7-JA for namedroppers-data@psg.com; Wed, 13 Aug 2008 17:35:16 +0000
Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <vixie@vix.com>) id 1KTKFc-0000eG-Vk for namedroppers@ops.ietf.org; Wed, 13 Aug 2008 17:35:14 +0000
Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id ADA67A66B0; Wed, 13 Aug 2008 17:35:01 +0000 (UTC) (envelope-from vixie@nsa.vix.com)
From: Paul Vixie <vixie@isc.org>
To: "David W. Hankins" <David_Hankins@isc.org>
cc: namedroppers@ops.ietf.org
In-Reply-To: Your message of "Wed, 13 Aug 2008 09:39:36 MST." <20080813163936.GA18651@isc.org>
References: <B5457C05-D2EA-4A31-94AB-84807AC62843@virtualized.org> <Pine.LNX.4.44.0808121535120.3680-100000@citation2.av8.net> <OF6BFCDCCD.B3B7FD05-ON802574A4.004C3FB5-802574A4.004C6A52@nominet.org.uk> <764E89A0-32D2-4555-B61C-C8B7D88EB9E1@ca.afilias.info> <20080813163936.GA18651@isc.org>
X-Mailer: MH-E 8.0.3; nil; GNU Emacs 22.2.1
Date: Wed, 13 Aug 2008 17:35:01 +0000
Message-ID: <36468.1218648901@nsa.vix.com>
MIME-Version: 1.0
X-Vix-MailScanner-Information: Please contact the ISP for more information
X-MailScanner-ID: ADA67A66B0.38B69
X-Vix-MailScanner: Found to be clean
X-Vix-MailScanner-From: vixie@vix.com
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

> Or even Kaminsky-subverting http://www.bank.com/ to point to a host
> which produces a redirect to https://www.bankfoo.com/, which is under
> the attacker's full control.

no real reason to s/bank/bankfoo/ in that example.  once you've got the A RR
for www.bank.com you can just not redirect folks to https:.  (their bookmark
is likely to be for the http: site, as will their search engine exit.)  or if
the attacker wants to get CRAZY they can redirect to https: quite safely since
the majority of endusers will just click "OK" on the resulting X.509 warning,
without reading it or understanding it.

kaminsky's plan to get a key issued by polluting the caching server of a CA so
that one can successfully emulate the desired common-name attribute is harder
work than needs doing, and so, i predict the criminals will take an easier way.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email