On 01/25/2012 12:44 AM, Rick van Rein wrote: > > Miek, I do not agree that DNS is unattractive to crack; > if I had a grudge against a large industrial firm I could > try to redirect their traffic to me, and announce being > near bankrupcy on their website (which would cause panic > and could thereby end up being a self-fulfilling prophecy).
The attractiveness of cracking DNS keys will be even higher with DANE protocol on the way (https://tools.ietf.org/html/draft-ietf-dane-protocol-14). If an attacker could factor RSA ZSK, he can use that key to circumvent a stronger key in X.509 certificate and eavesdrop on TLS connection by forging TLSA record (and TLS clients like browsers will accept it). At which point a state-level attacker must be taken into account. Ondrej Mikle _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
