On Mar 23, 2022, at 13:56, Masataka Ohta <mo...@necom830.hpcl.titech.ac.jp> wrote: > > > If a parent zone administrator or some employee of it is > compromised and forged zone delegation (with an IP address > of a forged nameserver using forged public/secret keys) > is signed by a valid key, it will not be noticed easily.
Such an individual would have to get access, create the records, give them to others, who then have to on-path attack you. At the TLD level and higher, this involves HSMs and physical access restrictions using a “four eyes minimum” approach. At this point, it is easier to obtain physical access to the enduser device and compromise the OS, browser or webpki stack - DNS attack is not needed. Even cheaper at this point is to use a hammer on the user’s knee cap. >> So the threat model for a viable DNSSEC attack is quite a bit different >> than for a recursive resolver attack, and is not something that could be >> easily effected by a small entity. > > Merely because message ID is short, which can be improved, > which is a lot easier than deploying so costly DNSSEC. You did not answer my earlier question on how you obtain this alleged secure IP address of all DNS nameservers you plan to talk to with “extra strong message ID”. Note also the same employee from above can tcpdump their nameserver or read the RAM and give the extra strong message ID to the attacker. So all attacks you attribute to DNSSEC apply to msg ID too. > If a resolver has some knowledge on contents of an attacked zone, such > as IP addresses of some servers or some DNSSEC keys, it can detect > a DNS (both resolver and DNSSEC) attack by comparing, unless > an attacker knows IP addresses of detecting resolvers and > return unforged answers to them. So? Forged answers require access to a private key. As stated those tend to be in HSMs or offline, so “attacker knowing IP address” is insufficient to forge answers. Your previous reply to his has been “there is always a human you can buy that has access to the key”, at which case see the above hammer and knee cap discussion. > Unlike that, birthday attacks on resolvers are trivially detectable > by the resolvers. In your described world, a birthday attack would not be needed, as the compromised operator that would have DNSSEC key access can also just share the msg ID with the attacker. So the attacker uses one regular response that you cannot distinguish from an unforged response. In a world with your own parameters, your solution would equally have no chance. Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
