[CD-DNSSEC] Re: [dnssec-deployment] Oh dear! DNSSEC education campaign has yet to begin!

Marcus H. Sachs - SRI marcus.sachs at sri.com
Fri Jun 2 16:24:08 EDT 2006


I'll take the hit on not including DNSSEC in the anti-phishing report.  That
report was put together by a team that included SRI people working on a
DHS/S&T contract with Doug Maughan.  To be honest, when I read the paper
during the review process I didn't even think about ensuring that DNSSEC was
mentioned as a part of potential solutions.  I'll make sure that we don't
repeat that mistake on future papers and reports.


Marc


Marcus H. Sachs, P.E.
SRI International
1100 Wilson Blvd Suite 2800, Arlington VA  22209
tel +1 703 247 8717   fax +1 703 247 8569
mob +1 703 932 3984   marcus.sachs at sri.com



-----Original Message-----
From: cd-dnssec-bounces+marcus.sachs=sri.com at csl.sri.com
[mailto:cd-dnssec-bounces+marcus.sachs=sri.com at csl.sri.com] On Behalf Of
Steve Crocker
Sent: Friday, June 02, 2006 4:13 PM
To: DNSSEC deployment
Cc: Thierry Moreau
Subject: [CD-DNSSEC] Re: [dnssec-deployment] Oh dear! DNSSEC education
campaign has yet to begin!

Thierry,

Thanks for this report.  Would you like to put something on the Cryptography
Mailing List and see whether you can generate any traction for DNSSEC?

Steve


Steve Crocker
steve at shinkuro.com

Try Shinkuro's collaboration technology.  Visit www.shinkuro.com.  I am
steve!shinkuro.com.


On Jun 2, 2006, at 3:07 PM, Thierry Moreau wrote:

> Just to share two findings showing that DNSSEC awareness is still very 
> limited in otherwise security educated circles:
>
>
> (A) An in-depth technical study of phishing attacks clearly documents 
> the consequences co DNS cache poisoning but fails to mention DNSSEC:
>
> Online Identity Theft: Phishing Technology, Chokepoints and 
> Countermeasures, Aaron Emigh, Radix Labs, October 3, 2005 (http://
> www.antiphishing.org/Phishing-dhs-report.pdf) -- this study was 
> financed by DHS.
>
>
> (B) In "The Cryptography Mailing List" where security gurus of various 
> types are discussing Internet/payment/computer security foundations, 
> in a thread about Opportunistic encryption:
>
> http://lists.virus.org/cryptography-0605/msg00145.html, of which some 
> excerpt:
>
> "Encrypting DNS is unacceptable, because the very large number of very 
> short messages make public key encryption an intolerable overhead.  A 
> DNS message also has to fit in a single datagram.
>
> "To accommodate these constraints, we need DNS certificates sent in 
> the clear, and signed with elliptic curve public keys (which allow 
> both signatures and certificates to be short enough to fit in a 
> datagram). The client walks the  certificate chain from time to time 
> and it caches the certificates, to avoid excessively loading the 
> issuers of higher level certificates.
>
> "But this is all theoretical at this stage, for DNS attacks are not 
> our biggest problem.  Once we have deployed systems that make it 
> difficult to snoop and scam without attacking DNS, *then* we will see 
> DNS come under heavy attack, and *then* there will be motivation to 
> change the DNS system."
>
> In summary, if DNSSEC didn't exist, this author (James A. Donald) 
> would invent it out of phishing attack necessity! Not bad by itself, 
> it's the fact that nobody in "The Cryptography Mailing List" brought 
> DNSSEC in this discussion thread.
>
>
> I come to no conclusion from these observations. Anyone volunteer to 
> explain why DNSSEC has so little awareness outside of IETF DNS
> (EXT/OP) and ICANN meeting attendees?
>
>
> Have a good week-end!
>
>
> -- 
>
> - Thierry Moreau
>
> CONNOTECH Experts-conseils inc.
> 9130 Place de Montgolfier
> Montreal, Qc
> Canada   H2M 2A1
>
> Tel.: (514)385-5691
> Fax:  (514)385-5900
>
> web site: http://www.connotech.com
> e-mail: thierry.moreau at connotech.com
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/ 
> Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <dnssec-deployment at shinkuro.com>.
To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
A public archive is available here:
<http://mail.shinkuro.com:8100/Lists/dnssec-deployment/>
and older material is at
<http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4688 bytes
Desc: not available
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20060602/86a56f25/attachment.bin 


More information about the Dnssec-deployment mailing list