Re: New addresses for b.root-servers.net

Mon, 19 Jun 2023 02:09:30 -0700 

Matt Corallo wrote:


Both in theory and practice, DNSSEC is not secure end to
end



Indeed, but (a) there's active work in the IETF to change that (DNSSEC 
stapling to TLS certs)


TLS? What? As was demonstrated by diginotar, PKI is NOT
cryptographically secure and vulnerable to MitM attacks
on intermediate intelligent entities of CAs.

Note that diginotar was advertised to be operated
with HSMs and four-eyes principle, which means
both of them were proven to be untrustworthy
marketing hypes.


and (b) that wasn't the point - the above post 
said "It’s not like you can really trust your packets going to B _today_ 
are going to and from the real B (or Bs)." which is exactly what DNSSEC 
protects against!


As long as root key rollover is performed in time and
intermediate zones such as ccTLDs are not compromised,
maybe, which is why it is not very useful or secure.

The following description

        https://en.wikipedia.org/wiki/DigiNotar
        Secondly, they issued certificates for the Dutch
        government's PKIoverheid ("PKIgovernment") program.
        This issuance was via two intermediate certificates,
        each of which chained up to one of the two "Staat der
        Nederlanden" root CAs. National and local Dutch
        authorities and organisations offering services for the
        government who want to use certificates for secure internet
        communication can request such a certificate. Some of the
        most-used electronic services offered by Dutch governments
        used certificates from DigiNotar. Examples were the
        authentication infrastructure DigiD and the central
        car-registration organisation Netherlands Vehicle
        Authority [nl] (RDW).

makes it clear that entities operating ccTLDs may also
be compromised.


If its not useful, please describe a mechanism by which an average 
recursive resolver can be protected against someone hijacking C root on 
Hurricane Electric (which doesn't otherwise have the announcement at 
all, last I heard) and responding with bogus data?


As DNSSEC capable resolvers are not very secure, you don't
have to make plain resolvers so secure.


For example, root key rollover is as easy/difficult as
updating IP addresses for b.root-servers.net.



Then maybe read the rest of this thread, cause lots of folks pointed out 
issues with *just* updating the IP and not bothering to give it some 
time to settle :)


In this thread, I'm the first to have pointed out that old IP
addresses of root servers must be reserved (for 50 years).


                                                Masataka Ohta

























					Reply via email to