Hosnieh Rafiee wrote:
> I guess this problem is also true for any protocol that uses timestamp in
> their signature and not DNSSEC specific.
Not necessarily. Some security protocol can safely assume
clocks of related equipments are manually managed by skilled
operators, which is not the case with DNS clients.
Then, plain DNS modified to have 32 (or 64?) bit messages
ID is as secure as DNSSEC.
> Because the nodes need to consider
> clock skew (for at least a few seconds) and this is actually where the
> attacker can attack the node (replay attack.... )
If the skew were few seconds, it is not a security problem
for DNS.
The problem is that, without human intervention by skilled
operators, clocks can be very inaccurate.
Then, a compromised and expired zone key can be used for
arbitrary data of the zone, which is more serious than
replay attack.
Masataka Ohta
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
