On 7 Mar 2010, at 08:06, George Barwood wrote:
If root-servers.net is unsigned, it's not possible for the resolver
to validate
the set of root IP addresses
So what? If the served zones are signed, it simply doesn't matter if
the address of a name server is spoofed or hijacked. The Bad Guy won't
have the private keys, so will be unable to return answers which
validate. In the context of a referral from the root, what matters is
the signature over the TLD's RRset (and its KSKs), not the IP address
of the root server or any signature that might or might not exist over
its name.
(a) An attacker can control every unsigned zone.
(b) An attacker can monitor every request to a signed zone ( no
privacy ).
(c) An attacker can deny service to any zone, on a selective basis.
It's not clear what point you're making or what your concerns are.
None of these things listed above are remotely relevant. Apart from
(a) which is hardly news: zones can be spoofed if they're not signed.
[What next? Can we expect revelations about what bears do in the
woods?] Privacy -- whatever that might mean -- has never been a design
goal of DNS. Or Secure DNS for that matter. An eavesdropper can
monitor *any* DNS request (signed or not) if they're close enough to
the client or server. DoS attacks can and are mounted on any zone,
whether or not they're signed. Meanwhile, in other news, water is
discovered to be wet and fire is proven to be hot.
Apparently there are currently no plans to sign root-servers.net
There's no point doing that IMO until .net is signed and there's a
single chain of trust from root-servers.net to the One True Trust
Anchor, the signed root. If the zone was to be self-signed, that would
mean yet another TA would need to be embedded and maintained in
validator configurations. Which creates more failure modes and scope
for errors. And since validating the answers for root-servers.net will
rarely if ever matter, adding that TA would be a lot of risk for
almost no reward.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
