Attacking networks using DHCP, DNS - probably kills DNSSEC

Bill Stewart bill.stewart at pobox.com
Sun Jun 29 22:17:18 EDT 2003 

At 11:49 PM 06/29/2003 +0200, Simon Josefsson wrote:
>No, I believe only one of the following situations can occur:
>
>* Your laptop see and uses the name "yahoo.com", and the DNS server
>   translate them into yahoo.com.attackersdomain.com.  If your laptop
>   knows the DNSSEC root key, the attacker cannot spoof yahoo.com since
>   it doesn't know the yahoo.com key.  This attack is essentially a
>   man-in-the-middle attack between you and your recursive DNS server.

That doesn't happen.  (Well, it could, but as you point out,
it's not a successful attack methodology, because DNSSEC was designed
to correctly take care of this.)

>* Your laptop see and uses the name "yahoo.com.attackersdomain.com".
>   You may be able to verify this using your DNSSEC root key, if the
>   attackersdomain.com people have set up DNSSEC for their spoofed
>   entries, but unless you are using bad software or judgment, you will
>   not confuse this for the real "yahoo.com".

The DNS suffix business is designed so that your laptop tries
to use "yahoo.com.attackersdomain.com", either before "yahoo.com"
or after unsuccessfully trying "yahoo.com", depending on implementation.
It may be bad judgement, but it's designed to support intranet sites
for domains that want their web browsers and email to let you
refer to "marketing" as opposed to "marketing.webservers.example.com",
and Netscape-derived browsers support it as well as IE.

>Of course, everything fails if you ALSO get your DNSSEC root key from
>the DHCP server, but in this case you shouldn't expect to be secure.
>I wouldn't be surprised if some people suggest pushing the DNSSEC root
>key via DHCP though, because alas, getting the right key into the
>laptop in the first place is a difficult problem.

I agree with you and Steve that this would be a Really Bad Idea.
The only way to make it secure is to use an authenticated DHCP,
which means you have to put authentication keys in somehow,
plus you need a reasonable response for handling authentication failures,
which means you need a user interface as well.
It's also the wrong scope, since the DNSSEC is global information,
not connection-oriented information, so it's not really DHCP's job.





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list