On Mon, 21 Mar 2022, Masataka Ohta wrote:
DNS cookies provide no data origin security, only a weak transport
security against non-onpath attackers.
If a resolver correctly knows an IP address of a nameserver of a
parent zone
This statement seems a recursion of the original problem statement?
and the resolver and the nameserver can communicate
with long enough ID, the resolver can correctly know an IP
address of a nameserver of a child zone, which is secure enough
data origin security.
This would not help for on-path attackers (without DoT, DoH)
How would this be safe against the current BGP attacks we are seeing?
As for MitM attacks, PKI, in general, is insecure against
them as was demonstrated by diginotar. So, don't bother.
DNSSEC is more hierarchical than the "bag of CAs", so a failure
like this would be more contained. Regardless, I do not understand
how PKI failures relate to DNS?
IETF can do nothing if some government legally force
people to install some government provided certificates
to some PKI, including DNSSEC, which is as easy as
MitM attacks on ISP chain may be by government order.
With DNSSEC, a government in country X cannot spoof data of
country Y, they can only block it. DNS without DNSSEC allows
country Y to spoof country X.
Again, I think perhaps you should write this up in a draft, so
we can see how your proposal would cover everything that DNSSEC
covers.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
