On Mon, Nov 10, 2014 at 7:16 PM, Ralf Weber <d...@fl1ger.de> wrote: > Moin! > > > On 10 Nov 2014, at 16:49, Brian Dickson <brian.peter.dick...@gmail.com> > wrote: > > > > The addresses associated with those names ( [a-m].root-servers.net ) > are replaceable in a way which is undetectable and unprotected by DNSSEC. > > > > > With DNSSEC any modification (malicious or not) can be detected so the > actual packet origin doesn't matter. The data origin/authenticity is what > we care about. >
This is true ONLY for DNSSEC-protected data, and then only to the degree that confidentiality is not an issue. For example, by substituting the address glue for the root servers, an attacker could then MitM all subsequent DNS traffic, by providing delegation glue for nameservers that point at (other) attacker-controlled machines. At a minimum, the attacker would see all the DNS queries and answers. And, for any names not DNSSEC-protected, the attacker could then trivially supply forged answers. Given the relatively low penetration rate in sizeable portions of the namespace, this is indeed something worth worrying about. And, it helps give motivation for removing any and all impediments to wide deployment of DNSSEC, on resolvers, clients, and registrants/registrars/registries. Regards, Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop