Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-06.txt
Florian Obser <florian+ietf@narrans.de> Mon, 18 March 2024 10:11 UTC
Return-Path: <florian+ietf@narrans.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1762C14F5F3 for <dnsop@ietfa.amsl.com>; Mon, 18 Mar 2024 03:11:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5xgAiVFQ0Ctg for <dnsop@ietfa.amsl.com>; Mon, 18 Mar 2024 03:11:07 -0700 (PDT)
Received: from imap.narrans.de (michelangelo.narrans.de [IPv6:2001:19f0:6c01:821:5400:1ff:fe33:a36d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A239AC14F5E3 for <dnsop@ietf.org>; Mon, 18 Mar 2024 03:11:06 -0700 (PDT)
Received: by michelangelo.narrans.de (OpenSMTPD) with ESMTPSA id b65b40e3 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Mon, 18 Mar 2024 11:11:02 +0100 (CET)
From: Florian Obser <florian+ietf@narrans.de>
To: Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
Cc: dnsop@ietf.org
In-Reply-To: <m1rm9NQ-0000LXC@stereo.hq.phicoh.net> (Philip Homburg's message of "Mon, 18 Mar 2024 10:33:51 +0100")
References: <171073157523.47754.45386078992453305@ietfa.amsl.com> <m1msqwaur1.fsf@narrans.de> <m1rm9NQ-0000LXC@stereo.hq.phicoh.net>
Date: Mon, 18 Mar 2024 11:11:01 +0100
Message-ID: <m1il1jc0ju.fsf@narrans.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/CvaW93lRNZ6bPZc2GQf9w54zLTw>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 10:11:11 -0000
On 2024-03-18 10:33 +01, Philip Homburg <pch-dnsop-5@u-1.phicoh.com> wrote: > In your letter dated Mon, 18 Mar 2024 08:01:38 +0100 you wrote: >>On 2024-03-17 20:12 -07, internet-drafts@ietf.org wrote: >>> Internet-Draft draft-ietf-dnsop-ns-revalidation-06.txt is now available. It >>is >> >>| 7. Security Considerations >>| [...] >>| In case of non DNSSEC validating >>| resolvers, an attacker controlling a rogue name server for the root >>| has potentially complete control over the entire domain name space >>| and can alter all unsigned parts undetected. >> >>can alter *all* parts undetected. >> >>It's a non-DNSSEC validating resolver, it doesn't care about signed or >>unsigned. Maybe just drop that sentence, it doesn't add much. > > A non DNSSEC validation resolver may have downstream validators that can detect changes to signed data. So an attacker that wishes to stay undetected has to > be careful not to modify signed data. ah yes, true. > > I guess the authors should add some clarifying text here to make clear why > in the case of a non validating resolver the attacker can only alter the > unsigned parts. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- In my defence, I have been left unsupervised.
- [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidat… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Florian Obser
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Florian Obser
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Philip Homburg
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Willem Toorop