> In message <[email protected]>, Masataka > Ohta writes: > > Hosnieh Rafiee wrote: > > > > > I have gathered some vulnerabilities in the current DNS security > > > approaches such as DNSSEC and etc. We think it is useful to have a > > > survey of existing vulnerabilities or any new vulnerabilities so > > > that we can address those issues in other standard RFC. This is why > > > we plan to write a new informational draft. > > > > As was discussed recently in IETF ML, a serious vulnerability of, so > > called, DNSSEC is lack of secure time. > > > > In the discussion, there is no practical solution against it, though > > some security novices innocently believed GPS time were automagically > > secure. > > > > That is, so far, there is no way to have really secure DNSSEC. > > > > Masataka Ohta
I guess this problem is also true for any protocol that uses timestamp in their signature and not DNSSEC specific. Because the nodes need to consider clock skew (for at least a few seconds) and this is actually where the attacker can attack the node (replay attack.... ) -----------smile---------- Hosnieh . success is a journey, not a destination.. You cannot change your destination overnight, but you can change your direction ... Focus on the journey _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
