Oh dear! DNSSEC education campaign has yet to begin!

Thierry Moreau thierry.moreau at connotech.com
Fri Jun 2 15:07:28 EDT 2006

Just to share two findings showing that DNSSEC awareness is still very 
limited in otherwise security educated circles:

(A) An in-depth technical study of phishing attacks clearly documents 
the consequences co DNS cache poisoning but fails to mention DNSSEC:

Online Identity Theft: Phishing Technology, Chokepoints and 
Countermeasures, Aaron Emigh, Radix Labs, October 3, 2005 
(http://www.antiphishing.org/Phishing-dhs-report.pdf) -- this study was 
financed by DHS.

(B) In "The Cryptography Mailing List" where security gurus of various 
types are discussing Internet/payment/computer security foundations, in 
a thread about Opportunistic encryption:

http://lists.virus.org/cryptography-0605/msg00145.html, of which some 

"Encrypting DNS is unacceptable, because the very large number of very 
short messages make public key encryption an intolerable overhead.  A 
DNS message also has to fit in a single datagram.

"To accommodate these constraints, we need DNS certificates sent in the 
clear, and signed with elliptic curve public keys (which allow both 
signatures and certificates to be short enough to fit in a datagram). 
The client walks the  certificate chain from time to time and it caches 
the certificates, to avoid excessively loading the issuers of higher 
level certificates.

"But this is all theoretical at this stage, for DNS attacks are not our 
biggest problem.  Once we have deployed systems that make it difficult 
to snoop and scam without attacking DNS, *then* we will see DNS come 
under heavy attack, and *then* there will be motivation to change the 
DNS system."

In summary, if DNSSEC didn't exist, this author (James A. Donald) would 
invent it out of phishing attack necessity! Not bad by itself, it's the 
fact that nobody in "The Cryptography Mailing List" brought DNSSEC in 
this discussion thread.

I come to no conclusion from these observations. Anyone volunteer to 
explain why DNSSEC has so little awareness outside of IETF DNS(EXT/OP) 
and ICANN meeting attendees?

Have a good week-end!


- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: thierry.moreau at connotech.com

More information about the Dnssec-deployment mailing list