On Mar 8, 2010, at 9:31 AM, Thierry Moreau wrote: > Joe Abley wrote: >> On 2010-03-08, at 10:27, Paul Wouters wrote: >>> On Mon, 8 Mar 2010, Joe Abley wrote: >>> >>>> Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I >>>> think be paraphrased as follows: >>>> >>>> - however, since the root zone is signed, validators can already tell when >>>> they are talking to a root server that serves bogus information >>> How does that work without ROOT-SERVERS.NET being signed with a known trust >>> anchor? >> Because validators are equipped with a trust anchor for the root zone's KSK. >> An unsigned ROOT-SERVERS.NET might leave validators talking to a bogus root >> server, but they won't believe any of the signed replies they get from it. > > That is a narrow view of what a bogus root server may do. It may also > replicate every official root signatures (basically signed delegations) and > spoof unsigned delegations. > > Your enemy may make a bogus signed TLD nameserver with the same strategy so > that unsigned delegations to SLD can also be spoofed. > > If DNSSEC usage includes validation of A/AAAA, then signed A/AAAA for > nameservers at the root and TLD seem to provide some (arguably marginal but > not null) integrity assurance for unsigned domains. > > That's just an observation on the above reasoning. A full pros and cons > analysis is obviously more encompassing.
But in order to BECOME the bogus nameserver, the attacker is becoming a MitM, so the attacker can just directly spoof any non-valid reply, they don't need to spoof the reply to become the bogus nameserver, but the unsigned replies directly. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
