Hi Paul On Mon, Sep 28, 2015 at 02:36:25PM -0400, Paul Wouters wrote: > On Mon, 28 Sep 2015, Paul Vixie wrote: > > >those things should also be done in the short term. > > > >but it's the internet. it'll outlive us all. we ought to have a long > >term plan as well. > > It's called DNSSEC.
Zone data validation and DNS message validation are two different
concepts. DNSSEC will not protect against DNS message modifications.
DNSSEC provides support for end-to-end security (complete chain-of-trust
signature verification), something that a DNS message checksum/signature
cannot provide. On the other hand, DNSSEC requires signatures for each
RRset bloating messages, whereas a DNS message checksum/signature is
usually smaller as there is 1 per message.
Anyway, I'll explain with an example why DNSSEC is not sufficient to
protect against DNS message modifications. Assume a company provides a
service in different countries. They want users in each country to use
the local CDN only, let's assume because users have no route to other
CDNs outside the country or because it's too expensive to service data
from other countries. They use views in DNS, each serving a different
country and the A/AAAA records returned by the authoritative server
provides the correct IP address for that country. Assume that zones in
these views are signed using the same KSK/ZSK.
This will work fine, but an attacker who has access to country A's
response may succeed in poisoning a message in country B with A's data
and DNSSEC validation will not catch it. DNSSEC protects each RRset, but
not the DNS message.
Also, there are other items in a DNS message aside from just signed zone
data.
Mukund
pgpcnsqYauEkq.pgp
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
