On Mar 21, 2022, at 13:10, Masataka Ohta <mo...@necom830.hpcl.titech.ac.jp> wrote: > > Ted Lemon wrote > >> It's pretty easy to intercept all packets destined for a particular IP >> address and spoof the responses. > > Technically, yes, but, socially, no, not at all. > > It can be practically possible only if ISPs employees are socially > compromised, which is criminal, or the ISP is ordered to do so > by government.
https://therecord.media/klayswap-crypto-users-lose-funds-after-bgp-hijack/amp/ “ Using a rogue AS known as AS9457, on February 3, the attackers began advertising that they owned the IP addresses that served developers.kakao.com,” You can define every technical hack as a social problem because it involved humans. > The problem of DNSSEC, or PKI in general, is that, assuming such > attacks, it is equally easy to socially compromise a zone with > DNSSEC signature. Yet that has never happened, unlike BGP attacks. > It's pretty easy to forge certificates. > > Never rely on untrustworthy TTPs. Yet I don’t hear you say to abandon TLS ? > Because security by PKI including DNSSEC is not end to end With TRRs in browsers like Firefox, it practically is. > Or, can you improve DNSSEC to instantly invalidate compromised zone > information, which is impossible with slowly acting CRLs. DNSSEC has no CRLs, only TTLs. I think you meant PKI here, not DNSSEC? >> Socially, having long enough message IDs is as secure as DNSSEC. “Socially” makes no sense from a protocol level. >> That is because authors of the original specification of DNSSEC > ignored my comments It was not ignored, it was rejected. > For me, it was, has been and still is easy. Please submit a draft with enough details for an implementer and/or sample code so the IETF can objectively evaluate your claims. Paul
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
