Hi, On 28/10/2012 22:58, Roy Arends wrote: > On Oct 28, 2012, at 7:40 AM, bert hubert <bert.hub...@netherlabs.nl> wrote: > >> On Sat, Oct 27, 2012 at 11:43:40PM -0700, David Conrad wrote: >>>> It appears that source port randomization works. >>> >>> Was there ever any doubt? The question wasn't (isn't?) whether source >> >> Yes, people used the Kaminsky hack as a way to push DNSSEC. > > DNSSEC does not defend against the Kaminsky hack?
As a matter of fact, I think it does not. It only limits the impact of some attack scenarios. Hopefully, those thwarted are the most devastating, in term of integrity, but if I'm correct you cannot honestly assert "DNSSEC solve the Kaminsky problem. Period.". AFAIK, DNSSEC does not possess any revocation mechanism (an expiration mechanism does exist but I am really talking about _revocation_). This lack of revocation mechanism can be a problem for some usage of DNSSEC, as in DANE where usage type 2 or 3 induce a new risk: a cache could be poisoned via a Kaminsky attack with a TLSA record whose signature is still valid (even if is has been removed from the zone (in an attempt to revoke it)). I have to admit this attack scenario is far-reached, as most DNSSEC-validatating servers do implement SPR and some even implement 0x20, but there is still the problem of middle boxes "un-randomizing" source ports. I would be happy to be proven wrong. I'm only a not-so-young padawan, after all ;) Regards, Florian Maury _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs