At 11:49 PM 06/29/2003 +0200, Simon Josefsson wrote:
No, I believe only one of the following situations can occur:
* Your laptop see and uses the name "yahoo.com", and the DNS server
translate them into yahoo.com.attackersdomain.com. If your laptop
knows the DNSSEC root key, the attacker cannot spoof yahoo.com since
it doesn't know the yahoo.com key. This attack is essentially a
man-in-the-middle attack between you and your recursive DNS server.
That doesn't happen. (Well, it could, but as you point out,
it's not a successful attack methodology, because DNSSEC was designed
to correctly take care of this.)
* Your laptop see and uses the name "yahoo.com.attackersdomain.com".
You may be able to verify this using your DNSSEC root key, if the
attackersdomain.com people have set up DNSSEC for their spoofed
entries, but unless you are using bad software or judgment, you will
not confuse this for the real "yahoo.com".
The DNS suffix business is designed so that your laptop tries
to use "yahoo.com.attackersdomain.com", either before "yahoo.com"
or after unsuccessfully trying "yahoo.com", depending on implementation.
It may be bad judgement, but it's designed to support intranet sites
for domains that want their web browsers and email to let you
refer to "marketing" as opposed to "marketing.webservers.example.com",
and Netscape-derived browsers support it as well as IE.
Of course, everything fails if you ALSO get your DNSSEC root key from
the DHCP server, but in this case you shouldn't expect to be secure.
I wouldn't be surprised if some people suggest pushing the DNSSEC root
key via DHCP though, because alas, getting the right key into the
laptop in the first place is a difficult problem.
I agree with you and Steve that this would be a Really Bad Idea.
The only way to make it secure is to use an authenticated DHCP,
which means you have to put authentication keys in somehow,
plus you need a reasonable response for handling authentication failures,
which means you need a user interface as well.
It's also the wrong scope, since the DNSSEC is global information,
not connection-oriented information, so it's not really DHCP's job.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
