Re: [DNSOP] DNSSEC as a Best Current Practice

Mon, 21 Mar 2022 07:13:10 -0700 

Paul Wouters wrote:


"Using a rogue AS known as AS9457, on February 3, the attackers
began advertising that they owned the IP addresses that served
developers.kakao.com,"


It is as easy as compromising developers.kakao.com.


You can define every technical hack as a social problem because it
involved humans.


Yup.


The problem of DNSSEC, or PKI in general, is that, assuming such 
attacks, it is equally easy to socially compromise a zone with 
DNSSEC signature.


Yet that has never happened, unlike BGP attacks.


You miss my point that DNSSEC to produce correct IP addresses
is powerless against BGP attacks.


It's pretty easy to forge certificates.

Never rely on untrustworthy TTPs.


Yet I don’t hear you say to abandon TLS ?


TLS is no better than DH, which is subject to MitM attacks,
though you might hear it from me for the first time.


Because security by PKI including DNSSEC is not end to end


With TRRs in browsers like Firefox, it practically is.


Wrong.

Because it is not end to end, it is subject to MitM attacks
on software distribution chain.


Or, can you improve DNSSEC to instantly invalidate compromised
zone information, which is impossible with slowly acting CRLs.


DNSSEC has no CRLs, only TTLs. I think you meant PKI here, not
DNSSEC?


That CRLs are very slow to react against attacks because
PKI is not end to end makes CRLs totally useless for
PKIs including DNSSEC, which is why I stated "instantly
invalidate".


Socially, having long enough message IDs is as secure as DNSSEC.


“Socially” makes no sense from a protocol level.


BCP is not at the protocol level.



That is because authors of the original specification of DNSSEC

ignored my comments


It was not ignored, it was rejected.


It was ignored and rejected but later, with some implementation
efforts, was recognized resulting in specification changes in
the worst possible way, because recognition occurred to late.

So?

> Please submit a draft with enough details for an implementer and/or
> sample code so the IETF can objectively evaluate your claims.

No implementation or code is necessary to say DNSSEC is
fundamentally hopeless.

                                                Masataka Ohta

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop























					Reply via email to