IETF Logo Mail Archive

RE: How do we get the whole world to upgrade to DNSSEC capable resolvers?

Alex Bligh <alex@alex.org.uk> Tue, 29 July 2008 15:27 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A79F528C17C; Tue, 29 Jul 2008 08:27:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.195
X-Spam-Level:
X-Spam-Status: No, score=-0.195 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2-6gesfFkATz; Tue, 29 Jul 2008 08:27:39 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C4DE73A67B7; Tue, 29 Jul 2008 08:27:38 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KNr2M-000Cnw-MJ for namedroppers-data@psg.com; Tue, 29 Jul 2008 15:22:54 +0000
Received: from [217.147.82.63] (helo=mail.avalus.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <alex@alex.org.uk>) id 1KNr2C-000Cm6-34 for namedroppers@ops.ietf.org; Tue, 29 Jul 2008 15:22:46 +0000
Received: from [192.168.100.3] (localhost [127.0.0.1]) by mail.avalus.com (Postfix) with ESMTP id 5E118C2DA3; Tue, 29 Jul 2008 16:22:41 +0100 (BST)
Date: Tue, 29 Jul 2008 16:22:38 +0100
From: Alex Bligh <alex@alex.org.uk>
Reply-To: Alex Bligh <alex@alex.org.uk>
To: "Jesper G. Høy" <jesper@jhsoft.com>, namedroppers@ops.ietf.org
cc: Alex Bligh <alex@alex.org.uk>
Subject: RE: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Message-ID: <572015C3F44995F54736D38B@Ximines.local>
In-Reply-To: <028a01c8f18c$7f6bb620$7e432260$@com>
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org> <20080723183227.GA11957@outpost.ds9a.nl> <028601c8f185$eeb51b90$cc1f52b0$@com> <F64EF155F05968A001280C7B@Ximines.local> <028a01c8f18c$7f6bb620$7e432260$@com>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>


--On 29 July 2008 17:05:09 +0200 "Jesper G. Høy" <jesper@jhsoft.com> wrote:

> If DNSSEC tell you (signed and secure) that my website is at 1.2.3.4 -
> the bad guy on the wire can still intercept and replace all the traffic
> from your browser to 1.2.3.4 and feed his own stuff back to your browser
> appearing to come from 1.2.3.4.
>
> Having the correct IP address of my web-server is no guarantee that you
> are actually talking to the right server - when the bad guy is
> on-the-wire that is.

Sure, but then that's true of any use of trusted information in an
insecure manner. DNS doesn't just carry IP addresses, and there's nothing
to prevent one from putting other information (e.g. public keys) in the
DNS. You mentioned "that's what SSL is for"; it would be equally possible
to secure http (or smtp or whatever) using public keys retrieved over
DNSSEC to avoid the attack you mention over. Without DNSSEC you need
some other mechanism of ensuring the public key is correct; whilst
SSL certificates have got good traction for HTTP, they haven't for
(e.g.) SMTP.

This is a useful discussion if only because it shows there are two meanings
of "on the wire attacks" (i.e. attacks to DNS, and attacks based on an
intercept of the results of the lookups).

Alex

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email