IETF Logo Mail Archive

Re: [DNSOP] DNSSEC as a Best Current Practice

David Conrad <drc@virtualized.org> Mon, 21 March 2022 17:54 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2A433A0A2E for <dnsop@ietfa.amsl.com>; Mon, 21 Mar 2022 10:54:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=virtualized-org.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6jk4sm-z7m6w for <dnsop@ietfa.amsl.com>; Mon, 21 Mar 2022 10:54:02 -0700 (PDT)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8BF93A11C7 for <DNSOP@ietf.org>; Mon, 21 Mar 2022 10:53:53 -0700 (PDT)
Received: by mail-pl1-x632.google.com with SMTP id n18so13414991plg.5 for <DNSOP@ietf.org>; Mon, 21 Mar 2022 10:53:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtualized-org.20210112.gappssmtp.com; s=20210112; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=MhmxyXZ8hDjLF7BWUovI3oKPomi3OMPdRawgwjQhaO4=; b=sQPTvWfXYvH3iVU5IZ89ERuekFXv0tZ+DLnr8/ncAyLkZ1PRXxCrgACxw0Pqp/xOfB szqI4AYv5TiRsncVwcvWY1FhdnK7LFpmOlpEv28cTUZswvY7He6maL/2dQgQkjNzsJpv AohuY9TNXdHd3EeUBZArAmnbu1TgOEXpZFH4ELMbCBi3RvJMYLMocnzU0p/cQRf33C/I FrKphGpZsdkqPnHLImm+eMkdfyAi2QCEAdcrbd0CDeIKch+zm8bITrKwoxyoB2yAG3Mw bRDdwj5VTkma50zTNKzclaDkZoGe4hG7E9e6/kRnPKB/rJL+rMrxoOKmZcN0if3g3DeJ hlnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=MhmxyXZ8hDjLF7BWUovI3oKPomi3OMPdRawgwjQhaO4=; b=FfiJGKaURBOBg+MR19B+0t6Zod/UKN6X4009weKIiTk4OBCozqLvm5YbNX9Q4ZR592 5ikiTJsoQapxXGCuPjRYZ3XAEPfSKUI8ibjT6l6rrxh22Qrp3jgwaQCgDo4ZQyEiAkrk INOYFbvBDvqf2qdheWDqKdZt60SJ8Le4kk7GtXXPaEaO1ezGru4pU8OUBwq00zJW0eBF vJ6DW8rnZNkGcAj8pubpGv9TNpIYKAfrEyMiKY3YZI+vde1rXqBmlBgvWW1YBtnAy9BR S7abbbjM5FTH6WkI1IIGn1r8ZYyZHwDW8icxWVVPH3zD6d1qqragwBS97Yf3covShBuK InWg==
X-Gm-Message-State: AOAM530OPT2/soq7zxu08aqCghn0GIGyWZKXbqNKccvYGvLOiviT8MKW 4K+SNU0uYrcl0dlfDSawGrtNlQ==
X-Google-Smtp-Source: ABdhPJxza+jRHaFORXql8uHSy56QQW7BE6xHQntxWZBjCs6DMLaM5ClahrFxAp5Lv5Jkv1PKZyj3Aw==
X-Received: by 2002:a17:903:24f:b0:14f:73fa:2b30 with SMTP id j15-20020a170903024f00b0014f73fa2b30mr14194337plh.174.1647885232444; Mon, 21 Mar 2022 10:53:52 -0700 (PDT)
Received: from smtpclient.apple ([2600:1700:5135:f1f:7cd9:a7a3:5edc:e104]) by smtp.gmail.com with ESMTPSA id ob8-20020a17090b390800b001c6a1e5595asm131404pjb.21.2022.03.21.10.53.51 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 21 Mar 2022 10:53:51 -0700 (PDT)
From: David Conrad <drc@virtualized.org>
Message-Id: <39275F0D-B6FE-4314-A87D-70F1D57F54EF@virtualized.org>
Content-Type: multipart/signed; boundary="Apple-Mail=_0DF0A5A5-5321-40D6-AA8D-15AEC17B75DB"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
Date: Mon, 21 Mar 2022 10:53:50 -0700
In-Reply-To: <59fdc791-4482-141b-03b4-bc27e8824f31@necom830.hpcl.titech.ac.jp>
Cc: DNSOP@ietf.org
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
References: <7aaed092-8877-ec15-9b7b-5d488e383d04@necom830.hpcl.titech.ac.jp> <7C43871E-60AF-485D-8AB3-65E72539F831@nohats.ca> <59fdc791-4482-141b-03b4-bc27e8824f31@necom830.hpcl.titech.ac.jp>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/a1Zbr1EYlK1yCDIS2BV6pjdfQHs>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2022 17:54:09 -0000

On Mar 21, 2022, at 1:01 AM, Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote:
> Paul Wouters wrote:
> 
>>>  Constructive thing to do to make DNS secure is to totally
>>> abandon DNSSEC and rely on DNS cookie or something like that.
> 
>> DNS cookies provide no data origin security, only a weak transport
>> security against non-onpath attackers.
> 
> If a resolver correctly knows an IP address of a nameserver of a
> parent zone and the resolver and the nameserver can communicate
> with long enough ID, the resolver can correctly know an IP
> address of a nameserver of a child zone, which is secure enough
> data origin security.

No.

https://therecord.media/klayswap-crypto-users-lose-funds-after-bgp-hijack/ <https://therecord.media/klayswap-crypto-users-lose-funds-after-bgp-hijack/>
https://www.theregister.com/2018/04/24/myetherwallet_dns_hijack/ <https://www.theregister.com/2018/04/24/myetherwallet_dns_hijack/>
Etc.

Securing the channel of communication != securing the data communicated via that channel.

Regards,
-drc

v2.23.0 | Report a Bug | By Email