Re: [dnsext] [DNSOP] DNS vulnerabilities
"Hosnieh Rafiee" <ietf@rozanak.com> Sun, 27 October 2013 09:34 UTC
Return-Path: <ietf@rozanak.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D552A11E813B; Sun, 27 Oct 2013 02:34:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tiEupOuA435f; Sun, 27 Oct 2013 02:34:15 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id E0B2121E80AD; Sun, 27 Oct 2013 02:34:14 -0700 (PDT)
Received: from kopoli (e179165039.adsl.alicedsl.de [85.179.165.39]) by mrelay.perfora.net (node=mrus3) with ESMTP (Nemesis) id 0MH0Be-1VWXEC3LWs-00DWx6; Sun, 27 Oct 2013 05:33:49 -0400
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Masataka Ohta' <mohta@necom830.hpcl.titech.ac.jp>
References: <008a01ced1d8$41885d40$c49917c0$@rozanak.com> <526BAEAE.6080806@necom830.hpcl.titech.ac.jp> <20131026205549.B82668F895D@rock.dv.isc.org>
In-Reply-To: <20131026205549.B82668F895D@rock.dv.isc.org>
Date: Sun, 27 Oct 2013 10:33:40 +0100
Message-ID: <001701ced2f7$a3efcd40$ebcf67c0$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIm9wNy7tttPfl4fnCDTlUiOk5VlwKx7n1vAlz9s6iZL4jVAA==
Content-Language: en-us
X-Provags-ID: V02:K0:7RdJcJhL8K8Nj0mAWWlUItxSxz6kVrVUaiP3HO+IQ8I j5myhfiaG6NXUXIftqBT1t4sYV5Nrle5jxk6DZDtw6aMMN8R2x A7J1lCZvgOHfdTcRQ0/q4d/LROs7fC4Li1w86WA7NoEu5+mtfJ o2EZNcONSNqUL+ixCX77kCLrq2liMepmmzhRMp8/4aFtv1Skzz v76J+bPfnK3RwWrWc0YHa8q0EozWxuRxgna+9LFEM8ghE1uKhF U1wTLBl1LwaZBXL8Dzf0TZNu6G61VEhwJFcU0VScSRYCl9P65O uDxrb53x0nDdA5X4luThci+s+y69y1leiB+Hjq/j84CgdS7cIf chBsYziymxkf5bLzc774=
Cc: 'Andrew Sullivan' <ajs@crankycanuck.ca>, DNSOP@ietf.org, dnsext@ietf.org
Subject: Re: [dnsext] [DNSOP] DNS vulnerabilities
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Oct 2013 09:34:20 -0000
> In message <526BAEAE.6080806@necom830.hpcl.titech.ac.jp>, Masataka > Ohta writes: > > Hosnieh Rafiee wrote: > > > > > I have gathered some vulnerabilities in the current DNS security > > > approaches such as DNSSEC and etc. We think it is useful to have a > > > survey of existing vulnerabilities or any new vulnerabilities so > > > that we can address those issues in other standard RFC. This is why > > > we plan to write a new informational draft. > > > > As was discussed recently in IETF ML, a serious vulnerability of, so > > called, DNSSEC is lack of secure time. > > > > In the discussion, there is no practical solution against it, though > > some security novices innocently believed GPS time were automagically > > secure. > > > > That is, so far, there is no way to have really secure DNSSEC. > > > > Masataka Ohta I guess this problem is also true for any protocol that uses timestamp in their signature and not DNSSEC specific. Because the nodes need to consider clock skew (for at least a few seconds) and this is actually where the attacker can attack the node (replay attack.... ) -----------smile---------- Hosnieh . success is a journey, not a destination.. You cannot change your destination overnight, but you can change your direction ... Focus on the journey
- [dnsext] DNS vulnerabilities Hosnieh Rafiee
- Re: [dnsext] DNS vulnerabilities bmanning
- Re: [dnsext] DNS vulnerabilities Hosnieh Rafiee
- Re: [dnsext] DNS vulnerabilities bmanning
- Re: [dnsext] [DNSOP] DNS vulnerabilities Hosnieh Rafiee
- Re: [dnsext] [DNSOP] DNS vulnerabilities Masataka Ohta
- [dnsext] timekeeping and DNSSEC Jim Reid
- Re: [dnsext] timekeeping and DNSSEC bmanning
- Re: [dnsext] [DNSOP] timekeeping and DNSSEC Ted Lemon
- Re: [dnsext] [DNSOP] DNS vulnerabilities Mark Andrews
- Re: [dnsext] timekeeping and DNSSEC Masataka Ohta
- Re: [dnsext] [DNSOP] timekeeping and DNSSEC Masataka Ohta
- Re: [dnsext] [DNSOP] DNS vulnerabilities Hosnieh Rafiee
- Re: [dnsext] [DNSOP] DNS vulnerabilities Masataka Ohta
- Re: [dnsext] [DNSOP] DNS vulnerabilities Mark Andrews
- Re: [dnsext] [DNSOP] DNS vulnerabilities David Conrad
- Re: [dnsext] [DNSOP] DNS vulnerabilities Marc Lampo
- Re: [dnsext] [DNSOP] DNS vulnerabilities Evan Hunt
- Re: [dnsext] [DNSOP] DNS vulnerabilities Masataka Ohta
- Re: [dnsext] [DNSOP] DNS vulnerabilities Masataka Ohta
- Re: [dnsext] [DNSOP] DNS vulnerabilities Masataka Ohta
- Re: [dnsext] DNS vulnerabilities Masataka Ohta
- Re: [dnsext] [DNSOP] DNS vulnerabilities Hosnieh Rafiee
- Re: [dnsext] [DNSOP] DNS vulnerabilities Tony Finch
- Re: [dnsext] [DNSOP] DNS vulnerabilities Masataka Ohta
- Re: [dnsext] [DNSOP] DNS vulnerabilities Evan Hunt
- Re: [dnsext] [DNSOP] DNS vulnerabilities Masataka Ohta
- Re: [dnsext] [DNSOP] DNS vulnerabilities Tony Finch
- Re: [dnsext] [DNSOP] DNS vulnerabilities Derek Atkins
- Re: [dnsext] [DNSOP] DNS vulnerabilities Nicholas Weaver
- Re: [dnsext] [DNSOP] DNS vulnerabilities Derek Atkins
- Re: [dnsext] [DNSOP] DNS vulnerabilities Masataka Ohta
- Re: [dnsext] [DNSOP] DNS vulnerabilities SM