Re: [keyassure] Objective: Restrictive versus Supplementary Models

James Cloos <> Wed, 30 March 2011 20:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A4B113A6A2A for <>; Wed, 30 Mar 2011 13:19:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[AWL=0.589, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CA7kuwF9ft1g for <>; Wed, 30 Mar 2011 13:19:27 -0700 (PDT)
Received: from ( [IPv6:2001:1938:12d::53]) by (Postfix) with ESMTP id 3D3EB3A69AB for <>; Wed, 30 Mar 2011 13:19:27 -0700 (PDT)
Received: by (Postfix, from userid 10) id 279B14067D; Wed, 30 Mar 2011 20:20:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=eagle; t=1301516460; bh=B+6WySojQpuQvWDg5VVW5Jge7+JngaTV20B8GJDiVMM=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=NbL72cIMcVkHp99yy8wX20InK45cIjDzVPPEJp/AGHUbhxUPizPut2K2xFb8/Rapc HEBuFN726U6yL3kHOftkNnN5gOGPka2qmkfxlnMGfcCywGvb9Cb4xbCREYZG80zz0T 2oNfij9pm4CjCUmS9j/QpuGXNGtePtCz6f5cvwik=
Received: by (Postfix, from userid 500) id 879D126004B; Wed, 30 Mar 2011 20:13:14 +0000 (UTC)
From: James Cloos <>
To: "Richard L. Barnes" <>
In-Reply-To: <> (Richard L. Barnes's message of "Wed, 30 Mar 2011 21:32:40 +0200")
References: <> <> <> <>
User-Agent: Gnus/5.110014 (No Gnus v0.14) Emacs/24.0.50 (gnu/linux)
Copyright: Copyright 2011 James Cloos
OpenPGP: ED7DAEA6; url=
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Wed, 30 Mar 2011 16:13:14 -0400
Message-ID: <>
Lines: 20
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [keyassure] Objective: Restrictive versus Supplementary Models
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Mar 2011 20:19:28 -0000

>>>>> "RLB" == Richard L Barnes <> writes:

JC> If the attacker injects fake dns records pointing to a fake server, they
JC> can include a dane rr.  It only makes the attack slightly harder, doesn't it?

RLB> Yes, but as ekr pointed out, injecting fake DANE RRs can only cause
RLB> the connection to fail, it won't result in the client connecting to a
RLB> bogus server.  That's why it's RECOMMENDED instead of REQUIRED.

If an attacker is going to inject fake RRs, they will inject fake A
and/or AAAA RRs too, not only fake dane RRs.

So the attacker will direct the victem to its fake site with its fake
cert tree which matches the fake dane rr.

I don't see how that is any different than the (non-dnssec) status quo.

James Cloos <>         OpenPGP: 1024D/ED7DAEA6