On 6/9/15, 10:24, "Casey Deccio" <[email protected]> wrote: > But when you consider a downgrade attack, the attacker only needs the lowest > hanging fruit. That means that *any* DS (regardless of DNSKEY) with the > weaker digest type could potentially be used for falsifying a DNSKEY.
I'm just going to throw this on the mat - perhaps we've (and I mean the loose collective of folks involved with DNSSEC over the decades) had a poor understanding of downgrade attacks (how they happen, etc.) and have poorly addressed them. Given that I've never seen one (downgrade attack) work (in practice/in the field), I've never been able to reverse engineer it. Having an academic/theoretic understanding is often times not sufficient. Like learning to take down a spinnaker on a sailboat on a calm day in the dock and then expecting to execute the steps heeled over in a gale. Or learning to change a diaper on a doll and then expecting to do the same for the first time in the back seat of a car. ;) Those are two areas where cleanroom experience didn't translate to real world experience so much. In general - has anyone seen an actual attack thwarted by DNSSEC? Or an attack beat a DNSSEC defense? Not looking to justify the investment, looking for the opportunity to reverse engineer.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
