Moin! > On 10 Nov 2014, at 20:11, Brian Dickson <brian.peter.dick...@gmail.com> wrote: >> With DNSSEC any modification (malicious or not) can be detected so the >> actual packet origin doesn't matter. The data origin/authenticity is what we >> care about. >> > This is true ONLY for DNSSEC-protected data, and then only to the degree that > confidentiality is not an issue. > > For example, by substituting the address glue for the root servers, an > attacker could then MitM all subsequent DNS traffic, by providing delegation > glue for nameservers that point at (other) attacker-controlled machines. At a > minimum, the attacker would see all the DNS queries and answers. And, for any > names not DNSSEC-protected, the attacker could then trivially supply forged > answers. So you would have to be man in the middle on the priming query as otherwise these addresses are ignored. Pretty hard if you are running on 127.0.0.1 or nearby the resolver. Now if you stub without priming which is what Warrens draft suggest this attack is impossible as you are hard coding the IP you ask the first iterative query and only look and follow the referral, which at some points includes validating the signature over the DS record that points to the DNSKEY of the TLD.
> Given the relatively low penetration rate in sizeable portions of the > namespace, this is indeed something worth worrying about. But if that is a problem worth worrying it already exist today as your path to the root server is longer now. It is not made worse by this or Warrens proposal. So long -Ralf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
