Re: [perpass] A reminder, the Network is the Enemy...

Stephane Bortzmeyer <> Wed, 27 November 2013 15:06 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 294841AE05D for <>; Wed, 27 Nov 2013 07:06:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, RP_MATCHES_RCVD=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lpu7EeIJJB-M for <>; Wed, 27 Nov 2013 07:06:19 -0800 (PST)
Received: from ( [IPv6:2001:67c:2218:2::4:12]) by (Postfix) with ESMTP id AF3041ADBE8 for <>; Wed, 27 Nov 2013 07:06:19 -0800 (PST)
Received: from (localhost []) by (Postfix) with SMTP id C09CC28048A; Wed, 27 Nov 2013 16:06:18 +0100 (CET)
Received: from ( []) by (Postfix) with ESMTP id BBE3628038C; Wed, 27 Nov 2013 16:06:18 +0100 (CET)
Received: from ( [IPv6:2001:67c:1348:8::7:113]) by (Postfix) with ESMTP id B94764C007F; Wed, 27 Nov 2013 16:05:48 +0100 (CET)
Date: Wed, 27 Nov 2013 16:05:48 +0100
From: Stephane Bortzmeyer <>
To: Nicholas Weaver <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
X-Operating-System: Debian GNU/Linux 7.2
X-Kernel: Linux 3.2.0-4-686-pae i686
Organization: NIC France
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: perpass <>
Subject: Re: [perpass] A reminder, the Network is the Enemy...
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The perpass list is for IETF discussion of pervasive monitoring. " <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Nov 2013 15:06:22 -0000

On Wed, Nov 20, 2013 at 12:42:53PM -0800,
 Nicholas Weaver <> wrote 
 a message of 70 lines which said:


You mention DNSSEC twice, as a solution against some man-on-the-side
attacks (injecting false DNS answers).

The Schneier paper
about QUANTUM mentions packet injection but not the DNS. We don't know
if the NSA does DNS poisoning (but we may assume they - and other
actors - do it).

However, if the attacker is the NSA, we have to take into account the
possibility that they can sign data with the root's private key, which
is under US management. Therefore, is DNSSEC still useful?

May be, in these cases:

* the attacker may consider that DNSSEC validation is so uncommon
today that it is not worth the work to inject spoofed RRSIG

* some people may have trust anchors located at lower levels (some
registries do publish them for instance
<>).  Do you think it is
technically sound? Many people decided not to publish these trust
anchors, because of the management costs and risks, but it was before
Snowden. May be we should actively recommend the publication of such
"lower" trust anchors now?