Re: [dnsext] Possible DNSSECbis clarifications
Michael Graff <mgraff@isc.org> Mon, 28 March 2011 16:23 UTC
Return-Path: <mgraff@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5C4143A6A64 for <dnsext@core3.amsl.com>; Mon, 28 Mar 2011 09:23:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RW2oGgGK4vpK for <dnsext@core3.amsl.com>; Mon, 28 Mar 2011 09:23:09 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by core3.amsl.com (Postfix) with ESMTP id 9E4F83A6A63 for <dnsext@ietf.org>; Mon, 28 Mar 2011 09:23:09 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id EAB225F985D for <dnsext@ietf.org>; Mon, 28 Mar 2011 16:24:32 +0000 (UTC) (envelope-from mgraff@isc.org)
Received: from dhcp-5329.meeting.ietf.org (dhcp-5329.meeting.ietf.org [130.129.83.41]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id DE68C216C33 for <dnsext@ietf.org>; Mon, 28 Mar 2011 16:24:29 +0000 (UTC) (envelope-from mgraff@isc.org)
Message-ID: <4D90B63A.8050405@isc.org>
Date: Mon, 28 Mar 2011 18:24:26 +0200
From: Michael Graff <mgraff@isc.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: dnsext@ietf.org
References: <4D9042DA.30002@ogud.com> <00a701cbed28$64d1b1d0$2e751570$@lampo@eurid.eu> <EBB9E54E-15F1-46B0-81CB-4B2C7B47D598@hopcount.ca> <018401cbed48$0b8a6ac0$229f4040$@lampo@eurid.eu> <22FD4CD1-4EFB-412A-A307-485DEBE815CE@hopcount.ca> <01a901cbed53$e744b7e0$b5ce27a0$@lampo@eurid.eu> <BFB96297-9A30-4C9B-86D9-788AAB0D7E61@hopcount.ca> <01b701cbed61$61cd3480$25679d80$@lampo@eurid.eu> <20110328161335.GB11536@miek.nl>
In-Reply-To: <20110328161335.GB11536@miek.nl>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [dnsext] Possible DNSSECbis clarifications
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2011 16:23:20 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 3/28/11 6:13 PM, Miek Gieben wrote: > [ Quoting Marc Lampo at 17:55 on March 28 in "Re: [dnsext] Possible DNSSECbis cl"... ] >> A "theorical" attack would be a "man-in-the-middle" change the trailing >> SOA, thus causing the secondary server to throw away each zone transfer it >> attempts (if it "believes" the second SOA is correct, in the absence of a >> valid RRSIG for it - that trailing SOA). > > If you are scared of mitm attacks you should use tsig to secure the > transfer IMO. +1 DNSSEC is a query thing to me. I don't know of any servers that validate the transfer on load, but I am most familiar with BIND 9. But, suppose there was a MITM attack and data was changed, the server validated the data during transfer, and the data failed validation. It would then reject the transfer, just like if the SOAs don't match. - --Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNkLY6AAoJEDRzoY2A7tzbNKAH/24AgRvdQZP14Bq5pJRM9MAk C7YUXaCaHCHS0W7ZX/r1idcqwFDQIAvMojPSRPfy7Tky+XXcNQ2OuctARaDKC41W MxhCy70T9KFLBI+mlIt543chxyibRQqJ9q/2d9TTu8NTqanUnm0PhX1TZdZruZUd 4A02K44iRKQpOPN1dJHbQ+zrG/JeG2K8tFGkOqm6h9ZDvWQLQnoWExUB2O/ufRsr kKaoLuUcIDXc5Q9ci3Ayf0DlD/77Hkbnuge6MI4cLc/wT8mzEJizeG3aawP/pJOE aU3mTw5w1PJxqj9D62hxhVBe9Qo+qlFLB8wYmzva8ns/QkprVUH+ZSGj+SLK8uQ= =7YMA -----END PGP SIGNATURE-----
- Re: [dnsext] Possible DNSSECbis clarifications Marc Lampo
- [dnsext] Possible DNSSECbis clarifications Olafur Gudmundsson
- Re: [dnsext] Possible DNSSECbis clarifications Masataka Ohta
- Re: [dnsext] Possible DNSSECbis clarifications George Barwood
- Re: [dnsext] Possible DNSSECbis clarifications Mark Andrews
- Re: [dnsext] Possible DNSSECbis clarifications Antoin Verschuren
- Re: [dnsext] Possible DNSSECbis clarifications Joe Abley
- Re: [dnsext] Possible DNSSECbis clarifications Joe Abley
- Re: [dnsext] Possible DNSSECbis clarifications Marc Lampo
- Re: [dnsext] Possible DNSSECbis clarifications Joe Abley
- Re: [dnsext] Possible DNSSECbis clarifications Michael Graff
- Re: [dnsext] Possible DNSSECbis clarifications Marc Lampo
- Re: [dnsext] Possible DNSSECbis clarifications Michael Graff
- Re: [dnsext] Possible DNSSECbis clarifications Joe Abley
- Re: [dnsext] Possible DNSSECbis clarifications Marc Lampo
- Re: [dnsext] Possible DNSSECbis clarifications Miek Gieben
- Re: [dnsext] Possible DNSSECbis clarifications Mark Andrews
- Re: [dnsext] Possible DNSSECbis clarifications Michael Graff