Okay, I tried to substantiate the discussion but all I get back are unsubstantiated one line claims. I tried to ask for clarifications with details but didn’t receive these. If you can’t or won’t provide details, I cannot evaluate your claims and can take no action other than to reject your claims. If you can substantiate this in the future, I am happy to pick up this discussion.
Regards, Paul > > On Mar 21, 2022, at 15:12, Masataka Ohta <mo...@necom830.hpcl.titech.ac.jp> > wrote: > > Paul Wouters wrote: > >> "Using a rogue AS known as AS9457, on February 3, the attackers >> began advertising that they owned the IP addresses that served >> developers.kakao.com," > > It is as easy as compromising developers.kakao.com. > >> You can define every technical hack as a social problem because it >> involved humans. > > Yup. > >>> The problem of DNSSEC, or PKI in general, is that, assuming such attacks, >>> it is equally easy to socially compromise a zone with DNSSEC signature. >> Yet that has never happened, unlike BGP attacks. > > You miss my point that DNSSEC to produce correct IP addresses > is powerless against BGP attacks. > >>> It's pretty easy to forge certificates. >>> Never rely on untrustworthy TTPs. >> Yet I don’t hear you say to abandon TLS ? > > TLS is no better than DH, which is subject to MitM attacks, > though you might hear it from me for the first time. > >>> Because security by PKI including DNSSEC is not end to end >> With TRRs in browsers like Firefox, it practically is. > > Wrong. > > Because it is not end to end, it is subject to MitM attacks > on software distribution chain. > >>> Or, can you improve DNSSEC to instantly invalidate compromised >>> zone information, which is impossible with slowly acting CRLs. >> DNSSEC has no CRLs, only TTLs. I think you meant PKI here, not >> DNSSEC? > > That CRLs are very slow to react against attacks because > PKI is not end to end makes CRLs totally useless for > PKIs including DNSSEC, which is why I stated "instantly > invalidate". > >>>> Socially, having long enough message IDs is as secure as DNSSEC. >> “Socially” makes no sense from a protocol level. > > BCP is not at the protocol level. > > >>>> That is because authors of the original specification of DNSSEC >>> ignored my comments >> It was not ignored, it was rejected. > > It was ignored and rejected but later, with some implementation > efforts, was recognized resulting in specification changes in > the worst possible way, because recognition occurred to late. > > So? > > > Please submit a draft with enough details for an implementer and/or > > sample code so the IETF can objectively evaluate your claims. > > No implementation or code is necessary to say DNSSEC is > fundamentally hopeless. > > Masataka Ohta > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop