Florian Weimer <fwei...@bfk.de> writes: > * Perry E. Metzger: > >> Actually, there are routine attacks on DNS infrastructure these days, >> but clearly they're not cryptographic since that's not >> deployed. However, a large part of the point of having DNSSEC is that we >> can then trust the DNS to be accurate so we can insert things like >> cryptographic keys into it. > > As far as I know, only the following classes of DNS-related incidents > have been observed:
You're not correct. Among other things, I've personally been the subject of deliberate DNS cache contamination attacks, and people have observed deployed DNS response forgery in the field. >> I'm particularly concerned about the fact that it is difficult to a >> priori analyze all of the use cases for DNSSEC and what the incentives >> may be to attack them. > > Well, this seems to be rather constructed to me. Feel free to find it "constructed". From my point of view, if I can't analyze the implications of a compromise, I don't want to leave the ability for it to happen in a system. I don't think anyone is smart enough to understand all the implications of this across all the systems that depend on the DNS, especially as we start to trust the DNS because of the authentication. Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com