Re: [Trans] DNSSEC also needs CT

Paul Wouters <> Tue, 13 May 2014 13:55 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 372BD1A00F0 for <>; Tue, 13 May 2014 06:55:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.651
X-Spam-Status: No, score=-2.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0qMDVbjpo71R for <>; Tue, 13 May 2014 06:55:12 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CCA6E1A0096 for <>; Tue, 13 May 2014 06:55:12 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E24FE81703; Tue, 13 May 2014 09:55:05 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1399989305; bh=dKCzEX8lWN4vAgZ1nFDsTgQspVGqXQ1wd+8MI7EwW1k=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=JRDmUyy1NwZVVltBmPmr/C9KETZepFg8kc31XtFd5QpwHR2MV7cwWPHUqpM1vJ/l9 M+s+u+0bUJ1P3Dp90oc6vyccWcnxkB1Zf/vrcGMCgDQ/wurQu/CxyX0oV8RdOwKj55 LVnvw8mSyaAzp82fnlm4lz9Ogkged2z6dL4qqOek=
Received: from localhost (paul@localhost) by (8.14.7/8.14.7/Submit) with ESMTP id s4DDt5xj027859; Tue, 13 May 2014 09:55:05 -0400
X-Authentication-Warning: paul owned process doing -bs
Date: Tue, 13 May 2014 09:55:05 -0400
From: Paul Wouters <>
To: Ben Laurie <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: "" <>
Subject: Re: [Trans] DNSSEC also needs CT
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 May 2014 13:55:18 -0000

On Tue, 13 May 2014, Ben Laurie wrote:


> Is it necessary to log anything other than keys? My base assumption was no: if the keys are as expected, then all records signed by those keys
> can be trusted. If someone wants to publish RRsets that are other than the one the true domain owner wants to publish, they necessarily have
> to inject a key they control, which becomes apparent from the logs.

That would not allow us to detect coercion, that is a custom RRset signed
to be used only for a targetted attack (by say, .com or the root)

But I'm not sure how we _could_ detect that. Let's say they get an A
record for that bypasses the NS RRset completely, that
is, signed by the .com key. To notice this case, you would also need to log
the change of zone cut.

The other case is injection of a custom DS RRset. How would we tell the
difference between the legitimate zone owner adding a DS record or an
attacker/parent zone owner adding one? One defense would be to ignore
any new DS record for a certain amount of time, but that runs into
similar issues as pinning and TACK.