IETF Logo Mail Archive

Re: [DNSOP] DNSSEC as a Best Current Practice

Paul Wouters <paul@nohats.ca> Mon, 21 March 2022 13:45 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 213EA3A19EA for <dnsop@ietfa.amsl.com>; Mon, 21 Mar 2022 06:45:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jnCRrrfeU__4 for <dnsop@ietfa.amsl.com>; Mon, 21 Mar 2022 06:45:21 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4363B3A19DD for <DNSOP@ietf.org>; Mon, 21 Mar 2022 06:45:20 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4KMbTp6BWwz3Tt; Mon, 21 Mar 2022 14:45:18 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1647870318; bh=hNaFJsi3DIg8QxSr/RKimp0iFw1NgmJakF6JX16hOgM=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=uDAkdVoZqigMP6swijUBAFKC0QSFR+tgMhSCFqE+bdkvI5cU2de4SmWcJCh2AWVLw V9i2HLAB6rlKAhgHXSTL+patbi2uzOZhGCyTl+EzOKzLRQJ1OcyFMFHce0Or48GPaz XqVWPdylNTe2fw8HElAtrxAJY19HWmOnyUgHKJao=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id IAHtVLq6N-eX; Mon, 21 Mar 2022 14:45:17 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 21 Mar 2022 14:45:17 +0100 (CET)
Received: from smtpclient.apple (dhcp-88f1.meeting.ietf.org [31.133.136.241]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id A7C622CE371; Mon, 21 Mar 2022 09:45:16 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-4F6502C3-9AFB-4A90-8661-1D73B8B4028D"
Content-Transfer-Encoding: 7bit
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Mon, 21 Mar 2022 14:45:12 +0100
Message-Id: <2F644929-3B97-4375-9458-7A64B2E17B04@nohats.ca>
References: <3035599f-bcb9-b753-54bc-32f61683a0e5@necom830.hpcl.titech.ac.jp>
Cc: DNSOP@ietf.org
In-Reply-To: <3035599f-bcb9-b753-54bc-32f61683a0e5@necom830.hpcl.titech.ac.jp>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
X-Mailer: iPhone Mail (19D52)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yWBMQrUNWM4lJDe0z5RJmoV70qA>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2022 13:45:36 -0000

On Mar 21, 2022, at 13:10, Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> wrote:
> 
> Ted Lemon wrote
> 
>> It's pretty easy to intercept all packets destined for a particular IP
>> address and spoof the responses.
> 
> Technically, yes, but, socially, no, not at all.
> 
> It can be practically possible only if ISPs employees are socially
> compromised, which is criminal, or the ISP is ordered to do so
> by government.

https://therecord.media/klayswap-crypto-users-lose-funds-after-bgp-hijack/amp/

“ Using a rogue AS known as AS9457, on February 3, the attackers began advertising that they owned the IP addresses that served developers.kakao.com,”

You can define every technical hack as a social problem because it involved humans.

> The problem of DNSSEC, or PKI in general, is that, assuming such
> attacks, it is equally easy to socially compromise a zone with
> DNSSEC signature.

Yet that has never happened, unlike BGP attacks.


> It's pretty easy to forge certificates.
> 
> Never rely on untrustworthy TTPs.

Yet I don’t hear you say to abandon TLS ?

> Because security by PKI including DNSSEC is not end to end

With TRRs in browsers like Firefox, it practically is.

> Or, can you improve DNSSEC to instantly invalidate compromised zone
> information, which is impossible with slowly acting CRLs.

DNSSEC has no CRLs, only TTLs. I think you meant PKI here, not DNSSEC?

>> Socially, having long enough message IDs is as secure as DNSSEC.

“Socially” makes no sense from a protocol level. 



>> That is because authors of the original specification of DNSSEC
> ignored my comments

It was not ignored, it was rejected.

> For me, it was, has been and still is easy.

Please submit a draft with enough details for an implementer and/or sample code so the IETF can objectively evaluate your claims.

Paul

v2.23.0 | Report a Bug | By Email