[Cryptography] Opening Discussion: Speculation on "BULLRUN"

Ray Dillinger bear at sonic.net
Sat Sep 7 15:54:04 EDT 2013

>> First, DNSSEC does not provide confidentiality.  Given that, it's not
>> clear to me why the NSA would try to stop or slow its deployment.

If it isn't, then you haven't considered its likely effects.

First of all, it makes CA's visibly redundant.  If people stop using
CA's that multiplies the number of channels that must be compromised
in order to eavesdrop.  Furthermore, it makes those channels parties
actually interested in the authenticity of the communications, such
as the companies whose keys are being authenticated.  In short, it
means the NSA would have to deal directly with the people they want
to eavesdrop on. That makes reaching a covert deal to expose keys a
bit more difficult, I'm thinking.

Secondly, it is the case that a DNS cache poisoning attack is an
occasionally useful technique allowing attackers to access things
that some people would rather they didn't access.  Such attackers
may or may not, apparently, include the NSA themselves, and if they
depend on that capability, then DNSSEC could be seen by them as a
threat against a useful channel for obtaining information.


More information about the cryptography mailing list