----- Original Message ----- From: "Jim Reid" <[email protected]> To: "George Barwood" <[email protected]> Cc: <[email protected]> Sent: Sunday, March 07, 2010 10:20 AM Subject: Re: [DNSOP] Should root-servers.net be signed
> On 7 Mar 2010, at 08:06, George Barwood wrote: > >> If root-servers.net is unsigned, it's not possible for the resolver >> to validate >> the set of root IP addresses > > So what? If the served zones are signed, it simply doesn't matter if > the address of a name server is spoofed or hijacked. The Bad Guy won't > have the private keys, so will be unable to return answers which > validate. In the context of a referral from the root, what matters is > the signature over the TLD's RRset (and its KSKs), not the IP address > of the root server or any signature that might or might not exist over > its name. > >> (a) An attacker can control every unsigned zone. >> >> (b) An attacker can monitor every request to a signed zone ( no >> privacy ). >> >> (c) An attacker can deny service to any zone, on a selective basis. > > It's not clear what point you're making or what your concerns are. > None of these things listed above are remotely relevant. Apart from > (a) which is hardly news: zones can be spoofed if they're not signed. > [What next? Can we expect revelations about what bears do in the > woods?] Prevention of spoofing is a goal of DNSSEC. However, if a zone ( such as root-servers.net ) is not signed, spoofing is not prevented. This has negative consequences, and weakens the protection that DNSSEC offers. > Privacy -- whatever that might mean -- has never been a design > goal of DNS. Or Secure DNS for that matter. An eavesdropper can > monitor *any* DNS request (signed or not) if they're close enough to > the client or server. Yes, but I'm talking about blind spoofing attacks, where a single successful spoof results in the attacker gaining a lot, and which can be stopped by signing root-server.net > DoS attacks can and are mounted on any zone, > whether or not they're signed. Meanwhile, in other news, water is > discovered to be wet and fire is proven to be hot. >> Apparently there are currently no plans to sign root-servers.net > > There's no point doing that IMO until .net is signed and there's a > single chain of trust from root-servers.net to the One True Trust > Anchor, the signed root. I hadn't considered that. The dependency on .net is perhaps a little odd. A more logical set of name server names might be simply a.root-servers b.root-servers .. k.root-servers so that the dependency is removed. There may be objections to this. > If the zone was to be self-signed, that would > mean yet another TA would need to be embedded and maintained in > validator configurations. Which creates more failure modes and scope > for errors. And since validating the answers for root-servers.net will > rarely if ever matter, adding that TA would be a lot of risk for > almost no reward. I agree that there is little point in signing root-servers if it can not be validated without configuring a special trust anchor. Of course another solution to that is to sign .net -- George _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
