Possibly questionable security decisions in DNS root management

David Wagner daw at cs.berkeley.edu
Thu Oct 22 15:14:17 EDT 2009

Florian Weimer  wrote:
> And you better randomize some bits covered by RRSIGs on DS RRsets.
> Directly signing data supplied by non-trusted source is quite risky.
> (It turns out that the current signing schemes have not been designed
> for this type of application, but the general crypto community is very
> slow at realizing this discrepancy.)

Could you elaborate?  I'm not sure what you're referring to or why it
would be quite risky to sign unrandomized messages.  Modern, well-designed
signature schemes are designed to resist chosen-message attack.  They do
not require the user of the signature scheme to randomize the messages
to be signed.  I'm not sure what discrepancy you're referring to.

Back to DNSSEC: The original criticism was that "DNSSEC has covert
channels".  So what?  If you're connected to the Internet, covert
channels are a fact of life, DNSSEC or no.  The added risk due to any
covert channels that DNSSEC may enable is somewhere between negligible
and none, as far as I can tell.  So I don't understand that criticism.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list