* Perry E. Metzger: > Actually, there are routine attacks on DNS infrastructure these days, > but clearly they're not cryptographic since that's not > deployed. However, a large part of the point of having DNSSEC is that we > can then trust the DNS to be accurate so we can insert things like > cryptographic keys into it.
As far as I know, only the following classes of DNS-related incidents have been observed: (a) Non-malicious incorrect DNS responses from caches (a1) as the result of defective software (a2) due to misconfiguration (a3) as a means to generate revenue (a4) as a means to generate revenue, but informed consent of the affected party is disputed (a5) to implement local community standards (b) Compromised service provider infrastructure (b1) ISP caching resolvers (b2) ISP-provisioned routers/DNS proxies at customer sites (b3) authoritative name servers and networks around authoritative name servers (b4) as the result of registrar/registry data manipulation (c) DNS as a traffic amplifier, used for denial-of-service attacks both against DNS and non-DNS targets (d) in-protocol, non-spoofed DNS-based reflective attacks against authoritative servers (e) unclear incidents for which sufficient data is not available The problem is that the "attacks" you mentioned are in class (e), but likely belong to (a1) and (a2) if we had more insight into them. Certainly, bad data itself is not proof of malicious intent. (NB: (a1) does *not* include software using predictable query source ports. There does not appear to be corresponding attack activity.) > I'm particularly concerned about the fact that it is difficult to a > priori analyze all of the use cases for DNSSEC and what the incentives > may be to attack them. Well, this seems to be rather constructed to me. You state that DNSSEC is a game changer, and then it's indeed pretty unclear what level of cryptographic protection is required. But in reality, DNSSEC adoption is not likely to change DNS usage patterns. If there's an effect, it will be due to the more rigid protocol specification and a gradual phase-out of grossly non-compliant DNS implementations, and not due to the cryptography involved. -- Florian Weimer <fwei...@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com