Re: [DNSOP] DNSSEC as a Best Current Practice

[Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>]

Paul Wouters wrote:

>>  If a parent zone administrator or some employee of it is 
>> compromised and forged zone delegation (with an IP address of a
>> forged nameserver using forged public/secret keys) is signed by a
>> valid key, it will not be noticed easily.

> Such an individual would have to get access, create the records, give
> them to others, who then have to on-path attack you. At the TLD level
> and higher, this involves HSMs and physical access restrictions using
> a “four eyes minimum” approach.

First, such impressively strong in depth security as strong
as those for nuclear reactors at Fukushima demonstrates a
fact that PKI is not cryptographically secure.

Not surprisingly, diginotar was equally strongly secure.

	https://roselabs.nl/files/audit_reports/Fox-IT_-_DigiNotar.pdf

	The main production servers of DigiNotar, including the
	CA servers and the accompanying hardware security module
	(netHSM), were located in a physically highlysecured
	room and in the Secure-net network segment.

	When a request was approved using the four-eye principle,

	In order for the CA software to automatically sign the
	certificate request, the appropriate private key
	needed to be activated in the netHSM. This was done
	by authorized employees by entering a smartcard
	into the netHSM combined with a PIN code.

So, DNSSEC TLDs are as secure as diginotar.

> At this point, it is easier to obtain physical access to the enduser
> device and compromise the OS, browser or webpki stack - DNS attack is
> not needed.

According to your theory, diginotar should not have been attacked.

It's like guaranteeing nuclear reactors protected by in depth
security never meltdown, proven by so many experts.

But, real security experts including bad guys are not hyped
by mere impression of security, which is merely not very
strong obscurity, which caused meltdown of diginotar.

So, may I volunteer to write a WG ID to obsolete DNSSEC
because it is only as secure as diginotar?

>> Merely because message ID is short, which can be improved, which is
>> a lot easier than deploying so costly DNSSEC.
> 
> You did not answer my earlier question on how you obtain this alleged
> secure IP address of all DNS nameservers you plan to talk to with
> "extra strong message ID".

I can't understand your question because upgrading all the
nameservers and resolvers operated by security aware
operators longer message ID capable is not so difficult.

 > Note also the same employee from above can tcpdump their nameserver
 > or read the RAM and give the extra strong message ID to the attacker.
 > So all attacks you attribute to DNSSEC apply to msg ID too.

So, just accept the reality that DNS, relying on zone chain,
which is subject to MitM attacks on intermediate zones, can not
be so secure regardless of whether you use DNSSEC or not.

>> If a resolver has some knowledge on contents of an attacked zone,
>> such as IP addresses of some servers or some DNSSEC keys, it can
>> detect a DNS (both resolver and DNSSEC) attack by comparing,
>> unless an attacker knows IP addresses of detecting resolvers and 
>> return unforged answers to them. So?
> 
> Forged answers require access to a private key. As stated those tend
> to be in HSMs or offline, 

HSMs? See above.

> so "attacker knowing IP address" is
> insufficient to forge answers.

I'm afraid you completely miss my point.

						Masataka Ohta