On 7 Mar 2010, at 23:08, George Barwood wrote:
But since unless you manually or do some other finagling can't
easily establish trust if you don't have trust above, root-
servers.net should only sign after .net is signed at this point in
the rollout.
The dependency on .net for the root name servers seems strange to me.
Get over it.
Intuitively, I should not have to trust .net to get a validated set
of root name servers.
You only need to trust the signatures over the signed delegations from
root servers, not the signatures (if any) over the address records for
the zone's name servers. This has been explained to you already.
Spoofed IP addresses for the root's name servers -- either through DNS
or evil routing trickery -- won't matter once the zone is signed for
real. An impostor won't be able to sign their bogus root zone because
they won't have access to the actual keys. Anything for the root
that's returned from these spoofed addresses simply won't validate.
This doesn't cure all the security ills of the world, but does
constitute a small improvement in security, especially for TLDs that
have not yet been signed.
Nope. If some TLD isn't signed it can be spoofed regardless of whether
or not the root (or root-servers.net) is signed. The same is true for
any unsigned zone that lives user a trust anchor which is used for
validation.
If TLDs also do not sign their name server domains, then a single
blind spoof packet allows an attacker to intercept all the traffic
for a resolver.
Yawn. That's still true whether or not root-servers.net is signed and
the resolver validates that zone's signatures. Or if the zone isn't
signed. See above.
Even the root server traffic is somewhat sensitive - it can often be
what some end-user has just typed, which could well be confidential,
such as a password ( e.g. they think they are entering a password,
but are actually typing into an address bar ).
So don't do that. Duh!
What point are you trying to make here or ascribe to the use or non-
use of DNSSEC? If people put crap in their DNS queries, that crap will
more than likely get presented to external name servers. DNSSEC is not
and never has been about confidentiality. Either of DNS data or
queries. If fail to see how stupid end user behaviour with web
browsers that leaks sensitivie data can have anything to do with
DNSSEC deployment at all. Or why you raise this non-issue on this list.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
