[dnssec-deployment] Fwd: [IP] Good Always Comes Out of Bad

Steve Crocker steve at shinkuro.com
Sun Jun 29 17:00:15 EDT 2008 

I realized I should have also made the point that if a registry  
checks the signature of an RRset before it puts it into the  
registry's zone, it can reject false records from the registrar and  
thereby block this sort of attack.

Of course, if it's the registrar who is creating the signed records,  
then if the registrar is penetrated it's still possible to spoof the  
NS records.

Steve


On Jun 29, 2008, at 12:47 PM, Paul Vixie wrote:

>> Good point!  Yes, if ICANN were signing its zones, and if  
>> validators were
>> checking signatures, then bogus NS records would have been  
>> detected and
>> discarded.  The zone might have gone dark, but false entries would  
>> have been
>> ignored.
>
> seems like when the bad guys hacked into the registrar to change  
> the NS RRs
> for the zone, they would have changed the DS RRs as well (if they  
> were going
> to sign it) or remove the DS RRs (if they wanted the zone to go  
> unsecured.)
>
> DNSSEC is just a lock, which only protects you if you use it and  
> control its
> keying and control access to its keys.  because we're involving the  
> registrar
> system in the keying (the DS RRs), any weakness in registrar  
> authorization or
> security is transitively a weakness in your zone's DNSSEC security  
> profile.
>
> noting that the bigger problem caused by registrars is that they  
> don't have
> a business case for supporting DS RRs at all, just like the  
> registries and
> technology suppliers and RDNS operators and GACs and boards, i  
> still find it
> dismaying that if there were a business case, then registrar  
> authorization
> and security is so weak at present that DNSSEC would be a joke if  
> deployed.
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/ 
> Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>

More information about the Dnssec-deployment mailing list