On Mar 21, 2022, at 13:28, Masataka Ohta <mo...@necom830.hpcl.titech.ac.jp> wrote: > > Paul Wouters wrote: > >>> If a resolver correctly knows an IP address of a nameserver of a >>> parent zone >> This statement seems a recursion of the original problem statement?] > > What?
You claim DNS can be secured if we somehow securely know all the IPs of all nameservers of parent zones, for which the only source is DNS. How do you propose to fulfill your own stated requirement without DNSSEC ? >> How would this be safe against the current BGP attacks we are seeing? > > Are you saying connecting to an IP address secured by DNSSEC > is safe even under BGP attacks? Yes. Obviously the attacker can deny the actual real DNS content but sending their own made up DNS data is ignored due to data origin protection. > >>> As for MitM attacks, PKI, in general, is insecure against >>> them as was demonstrated by diginotar. So, don't bother. >> DNSSEC is more hierarchical than the "bag of CAs", so a failure >> like this would be more contained. Regardless, I do not understand >> how PKI failures relate to DNS? > > Are you saying you don't understand DNSSEC is a form of PKI? Please refrain from ad hominem attacks if you wish to continue to discuss. A webpki root ca failure has no relationship to dnssec which has no root ca’s. > Country X legally forcing people to install government provided > root certificates can freely spoof PKI, including DNSSEC, data > of country Y. No they cannot. I can give you root access to a nameserver for nohats.ca and you still can’t create a “proof.nohats.ca” DNS record that google DNS would serve to people. Similarly if we imagine you can coerce country X to do anything you want, how you could get this DNS record published so that the world’s servers/clients will believe your answer to be true. >> Again, I think perhaps you should write this up in a draft, so >> we can see how your proposal would cover everything that DNSSEC >> covers. > > Before diginotar, maybe. After that, I don't think it necessary > any more. If you only handwave your claims, the only possible IETF response is to not spend time on your claims. I have now given you two methods to substantiate your claims to further the discussion. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
