Re: [keyassure] Objective: Restrictive versus Supplementary Models

James Cloos <cloos@jhcloos.com> Wed, 30 March 2011 20:19 UTC

Return-Path: <cloos@jhcloos.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A4B113A6A2A for <keyassure@core3.amsl.com>; Wed, 30 Mar 2011 13:19:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[AWL=0.589, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CA7kuwF9ft1g for <keyassure@core3.amsl.com>; Wed, 30 Mar 2011 13:19:27 -0700 (PDT)
Received: from eagle.jhcloos.com (eagle.jhcloos.com [IPv6:2001:1938:12d::53]) by core3.amsl.com (Postfix) with ESMTP id 3D3EB3A69AB for <keyassure@ietf.org>; Wed, 30 Mar 2011 13:19:27 -0700 (PDT)
Received: by eagle.jhcloos.com (Postfix, from userid 10) id 279B14067D; Wed, 30 Mar 2011 20:20:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=eagle; t=1301516460; bh=B+6WySojQpuQvWDg5VVW5Jge7+JngaTV20B8GJDiVMM=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=NbL72cIMcVkHp99yy8wX20InK45cIjDzVPPEJp/AGHUbhxUPizPut2K2xFb8/Rapc HEBuFN726U6yL3kHOftkNnN5gOGPka2qmkfxlnMGfcCywGvb9Cb4xbCREYZG80zz0T 2oNfij9pm4CjCUmS9j/QpuGXNGtePtCz6f5cvwik=
Received: by carbon.jhcloos.org (Postfix, from userid 500) id 879D126004B; Wed, 30 Mar 2011 20:13:14 +0000 (UTC)
From: James Cloos <cloos@jhcloos.com>
To: "Richard L. Barnes" <rbarnes@bbn.com>
In-Reply-To: <F1AC4325-EA91-4570-A423-F14B178B3965@bbn.com> (Richard L. Barnes's message of "Wed, 30 Mar 2011 21:32:40 +0200")
References: <AANLkTik1Uzd8XSZzopBBDHywrhSjsBQYxC91BZXdkMwg@mail.gmail.com> <0AE869F3-0BBB-485F-8CDD-EC1B70EBB9B2@bbn.com> <m3pqp8fvoz.fsf@jhcloos.com> <F1AC4325-EA91-4570-A423-F14B178B3965@bbn.com>
User-Agent: Gnus/5.110014 (No Gnus v0.14) Emacs/24.0.50 (gnu/linux)
Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC
Copyright: Copyright 2011 James Cloos
OpenPGP: ED7DAEA6; url=http://jhcloos.com/public_key/0xED7DAEA6.asc
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Wed, 30 Mar 2011 16:13:14 -0400
Message-ID: <m31v1ocqod.fsf@jhcloos.com>
Lines: 20
MIME-Version: 1.0
Content-Type: text/plain
X-Hashcash: 1:30:110330:rbarnes@bbn.com::NZNb1tK+U2nFVX/p:0DK+Fq
X-Hashcash: 1:30:110330:ekr@rtfm.com::IQeQusEZxTGHxslt:0000PM27E
X-Hashcash: 1:30:110330:keyassure@ietf.org::j4qF6r3/jPOYlzby:0000000000000000000000000000000000000000004kdr2
Cc: keyassure@ietf.org
Subject: Re: [keyassure] Objective: Restrictive versus Supplementary Models
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 20:19:28 -0000

>>>>> "RLB" == Richard L Barnes <rbarnes@bbn.com> writes:

JC> If the attacker injects fake dns records pointing to a fake server, they
JC> can include a dane rr.  It only makes the attack slightly harder, doesn't it?

RLB> Yes, but as ekr pointed out, injecting fake DANE RRs can only cause
RLB> the connection to fail, it won't result in the client connecting to a
RLB> bogus server.  That's why it's RECOMMENDED instead of REQUIRED.

If an attacker is going to inject fake RRs, they will inject fake A
and/or AAAA RRs too, not only fake dane RRs.

So the attacker will direct the victem to its fake site with its fake
cert tree which matches the fake dane rr.

I don't see how that is any different than the (non-dnssec) status quo.

-JimC
-- 
James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6