Hosnieh Rafiee wrote:
> I have gathered some vulnerabilities in the current DNS security approaches
> such as DNSSEC and etc. We think it is useful to have a survey of existing
> vulnerabilities or any new vulnerabilities so that we can address those
> issues in other standard RFC.
Another security problem is caused by a fundamental fallacy
of PKI that CAs were trusted third parties.
If a zone administrator is legally forced to disclose secret
key of the zone or forge a certificate for a child zone of
the zone, the zone is not secure at all.
Thanks to Snowden,I can safely state such enforcement
plausible without being called a paranoia.
The problem can be avoided if we modify DNSSEC require
multiple signatures from multiple organizations in several
countries such as Russia, China etc. at least for root
and TLD zones.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
