On Mon, Sep 28, 2015 at 9:53 PM, Mukund Sivaraman <m...@isc.org> wrote:
> Hi Paul > > On Mon, Sep 28, 2015 at 02:36:25PM -0400, Paul Wouters wrote: > > On Mon, 28 Sep 2015, Paul Vixie wrote: > > > > >those things should also be done in the short term. > > > > > >but it's the internet. it'll outlive us all. we ought to have a long > > >term plan as well. > > > > It's called DNSSEC. > > Zone data validation and DNS message validation are two different > concepts. DNSSEC will not protect against DNS message modifications. > > DNSSEC provides support for end-to-end security (complete chain-of-trust > signature verification), something that a DNS message checksum/signature > cannot provide. On the other hand, DNSSEC requires signatures for each > RRset bloating messages, whereas a DNS message checksum/signature is > usually smaller as there is 1 per message. > > Anyway, I'll explain with an example why DNSSEC is not sufficient to > protect against DNS message modifications. Assume a company provides a > service in different countries. They want users in each country to use > the local CDN only, let's assume because users have no route to other > CDNs outside the country or because it's too expensive to service data > from other countries. They use views in DNS, each serving a different > country and the A/AAAA records returned by the authoritative server > provides the correct IP address for that country. Assume that zones in > these views are signed using the same KSK/ZSK. > > This will work fine, but an attacker who has access to country A's > response may succeed in poisoning a message in country B with A's data > and DNSSEC validation will not catch it. DNSSEC protects each RRset, but > not the DNS message. > This is accepted risk signatures can be reused for the interval specified, for any purpose. > Also, there are other items in a DNS message aside from just signed zone > data. > > As your schema is useless against on-path attacker I recommend you take a look at making TKEY +TSIG easier to use, then we get the good property of message integrity. Olafur
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop