Possibly questionable security decisions in DNS root management
David Wagner
daw at cs.berkeley.edu
Thu Oct 22 15:14:17 EDT 2009
Florian Weimer wrote:
> And you better randomize some bits covered by RRSIGs on DS RRsets.
> Directly signing data supplied by non-trusted source is quite risky.
> (It turns out that the current signing schemes have not been designed
> for this type of application, but the general crypto community is very
> slow at realizing this discrepancy.)
Could you elaborate? I'm not sure what you're referring to or why it
would be quite risky to sign unrandomized messages. Modern, well-designed
signature schemes are designed to resist chosen-message attack. They do
not require the user of the signature scheme to randomize the messages
to be signed. I'm not sure what discrepancy you're referring to.
Back to DNSSEC: The original criticism was that "DNSSEC has covert
channels". So what? If you're connected to the Internet, covert
channels are a fact of life, DNSSEC or no. The added risk due to any
covert channels that DNSSEC may enable is somewhere between negligible
and none, as far as I can tell. So I don't understand that criticism.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list