IETF Logo Mail Archive

Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.

Alex Bligh <alex@alex.org.uk> Sat, 23 January 2010 05:07 UTC

Return-Path: <alex@alex.org.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F19AC3A67F4 for <dnsop@core3.amsl.com>; Fri, 22 Jan 2010 21:07:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jA8L9HX-NgXs for <dnsop@core3.amsl.com>; Fri, 22 Jan 2010 21:07:00 -0800 (PST)
Received: from mail.avalus.com (mail.avalus.com [89.16.176.221]) by core3.amsl.com (Postfix) with ESMTP id F2CC63A63D3 for <dnsop@ietf.org>; Fri, 22 Jan 2010 21:06:57 -0800 (PST)
Received: from [192.168.100.124] (87-194-71-186.bethere.co.uk [87.194.71.186]) by mail.avalus.com (Postfix) with ESMTPSA id 659EAC563AC; Sat, 23 Jan 2010 05:06:50 +0000 (GMT)
Date: Sat, 23 Jan 2010 05:06:50 +0000
From: Alex Bligh <alex@alex.org.uk>
To: Alex Bligh <alex@alex.org.uk>, Paul Wouters <paul@xelerance.com>
Message-ID: <BD6BE0873A1F8C3323DD04F8@nimrod.local>
In-Reply-To: <185C280129C4C3502DAC0F80@nimrod.local>
References: <200904282021.n3SKL3sg051528@givry.fdupont.fr> <59A58419-FDBD-4810-B2FA-0D293FFA00A5@NLnetLabs.nl> <alpine.LFD.1.10.1001211245180.12114@newtla.xelerance.com> <1AEAE091-2EB3-41DC-A51B-8DD49C10FAD5@NLnetLabs.nl> <24C8A8E2A81760E31D4CDE4A@Ximines.local> <alpine.LFD.1.10.1001221446090.24208@newtla.xelerance.com> <D6C3D7B5FE44C580F05A1673@nimrod.local> <alpine.LFD.1.10.1001221854270.24908@newtla.xelerance.com> <185C280129C4C3502DAC0F80@nimrod.local>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: dnsop WG <dnsop@ietf.org>, Alex Bligh <alex@alex.org.uk>
Subject: Re: [DNSOP] rfc4641bis: NSEC vs NSEC3.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Alex Bligh <alex@alex.org.uk>
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jan 2010 05:07:01 -0000

--On 23 January 2010 04:56:33 +0000 Alex Bligh <alex@alex.org.uk> wrote:

>> Having verifiable deniability for typo-squated domaims is very useful.
>
> If expensive, where 99% of your domains are unsigned.

By which I mean expensive given this isn't the cheapest attack vector.
If I want to typo squat with a non-existent domain (and it's only
non-existent domains where verification of denial of existence is
an issue), I could just register the domain which would be far
more reliable than all the hocus pocus needed to get spoofing to
work. It's not that hard to get an SSL cert either. And if I
have got the technology to spoof, why not attack one of the 99%
unsigned domains in the zone, rather than an unregistered typo-squat
of a signed one, as the pickings will be far greater?

-- 
Alex Bligh

v2.23.0 | Report a Bug | By Email