Oh dear! DNSSEC education campaign has yet to begin!
thierry.moreau at connotech.com
Fri Jun 2 15:07:28 EDT 2006
Just to share two findings showing that DNSSEC awareness is still very
limited in otherwise security educated circles:
(A) An in-depth technical study of phishing attacks clearly documents
the consequences co DNS cache poisoning but fails to mention DNSSEC:
Online Identity Theft: Phishing Technology, Chokepoints and
Countermeasures, Aaron Emigh, Radix Labs, October 3, 2005
(http://www.antiphishing.org/Phishing-dhs-report.pdf) -- this study was
financed by DHS.
(B) In "The Cryptography Mailing List" where security gurus of various
types are discussing Internet/payment/computer security foundations, in
a thread about Opportunistic encryption:
http://lists.virus.org/cryptography-0605/msg00145.html, of which some
"Encrypting DNS is unacceptable, because the very large number of very
short messages make public key encryption an intolerable overhead. A
DNS message also has to fit in a single datagram.
"To accommodate these constraints, we need DNS certificates sent in the
clear, and signed with elliptic curve public keys (which allow both
signatures and certificates to be short enough to fit in a datagram).
The client walks the certificate chain from time to time and it caches
the certificates, to avoid excessively loading the issuers of higher
"But this is all theoretical at this stage, for DNS attacks are not our
biggest problem. Once we have deployed systems that make it difficult
to snoop and scam without attacking DNS, *then* we will see DNS come
under heavy attack, and *then* there will be motivation to change the
In summary, if DNSSEC didn't exist, this author (James A. Donald) would
invent it out of phishing attack necessity! Not bad by itself, it's the
fact that nobody in "The Cryptography Mailing List" brought DNSSEC in
this discussion thread.
I come to no conclusion from these observations. Anyone volunteer to
explain why DNSSEC has so little awareness outside of IETF DNS(EXT/OP)
and ICANN meeting attendees?
Have a good week-end!
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Canada H2M 2A1
web site: http://www.connotech.com
e-mail: thierry.moreau at connotech.com
More information about the Dnssec-deployment