[dnssec-deployment] Oh dear! DNSSEC education campaign has yet to begin!

Steve Crocker steve at shinkuro.com
Fri Jun 2 16:12:53 EDT 2006 

Thierry,

Thanks for this report.  Would you like to put something on the  
Cryptography Mailing List and see whether you can generate any  
traction for DNSSEC?

Steve


Steve Crocker
steve at shinkuro.com

Try Shinkuro's collaboration technology.  Visit www.shinkuro.com.  I  
am steve!shinkuro.com.


On Jun 2, 2006, at 3:07 PM, Thierry Moreau wrote:

> Just to share two findings showing that DNSSEC awareness is still  
> very limited in otherwise security educated circles:
>
>
> (A) An in-depth technical study of phishing attacks clearly  
> documents the consequences co DNS cache poisoning but fails to  
> mention DNSSEC:
>
> Online Identity Theft: Phishing Technology, Chokepoints and  
> Countermeasures, Aaron Emigh, Radix Labs, October 3, 2005 (http:// 
> www.antiphishing.org/Phishing-dhs-report.pdf) -- this study was  
> financed by DHS.
>
>
> (B) In "The Cryptography Mailing List" where security gurus of  
> various types are discussing Internet/payment/computer security  
> foundations, in a thread about Opportunistic encryption:
>
> http://lists.virus.org/cryptography-0605/msg00145.html, of which  
> some excerpt:
>
> "Encrypting DNS is unacceptable, because the very large number of  
> very short messages make public key encryption an intolerable  
> overhead.  A DNS message also has to fit in a single datagram.
>
> "To accommodate these constraints, we need DNS certificates sent in  
> the clear, and signed with elliptic curve public keys (which allow  
> both signatures and certificates to be short enough to fit in a  
> datagram). The client walks the  certificate chain from time to  
> time and it caches the certificates, to avoid excessively loading  
> the issuers of higher level certificates.
>
> "But this is all theoretical at this stage, for DNS attacks are not  
> our biggest problem.  Once we have deployed systems that make it  
> difficult to snoop and scam without attacking DNS, *then* we will  
> see DNS come under heavy attack, and *then* there will be  
> motivation to change the DNS system."
>
> In summary, if DNSSEC didn't exist, this author (James A. Donald)  
> would invent it out of phishing attack necessity! Not bad by  
> itself, it's the fact that nobody in "The Cryptography Mailing  
> List" brought DNSSEC in this discussion thread.
>
>
> I come to no conclusion from these observations. Anyone volunteer  
> to explain why DNSSEC has so little awareness outside of IETF DNS 
> (EXT/OP) and ICANN meeting attendees?
>
>
> Have a good week-end!
>
>
> -- 
>
> - Thierry Moreau
>
> CONNOTECH Experts-conseils inc.
> 9130 Place de Montgolfier
> Montreal, Qc
> Canada   H2M 2A1
>
> Tel.: (514)385-5691
> Fax:  (514)385-5900
>
> web site: http://www.connotech.com
> e-mail: thierry.moreau at connotech.com
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/ 
> Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>

More information about the Dnssec-deployment mailing list