Possibly questionable security decisions in DNS root management
Perry E. Metzger
perry at piermont.com
Thu Oct 22 10:12:06 EDT 2009
Florian Weimer <fweimer at bfk.de> writes:
> * Perry E. Metzger:
>
>> Actually, there are routine attacks on DNS infrastructure these days,
>> but clearly they're not cryptographic since that's not
>> deployed. However, a large part of the point of having DNSSEC is that we
>> can then trust the DNS to be accurate so we can insert things like
>> cryptographic keys into it.
>
> As far as I know, only the following classes of DNS-related incidents
> have been observed:
You're not correct. Among other things, I've personally been the subject
of deliberate DNS cache contamination attacks, and people have observed
deployed DNS response forgery in the field.
>> I'm particularly concerned about the fact that it is difficult to a
>> priori analyze all of the use cases for DNSSEC and what the incentives
>> may be to attack them.
>
> Well, this seems to be rather constructed to me.
Feel free to find it "constructed". From my point of view, if I can't
analyze the implications of a compromise, I don't want to leave the
ability for it to happen in a system. I don't think anyone is smart
enough to understand all the implications of this across all the systems
that depend on the DNS, especially as we start to trust the DNS because
of the authentication.
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list