On Tue, 29 Sep 2015, Mukund Sivaraman wrote:
On the other hand, DNSSEC requires signatures for each RRset bloating messages
Just like TLS is bloating HTTP? :)
Anyway, I'll explain with an example why DNSSEC is not sufficient to protect against DNS message modifications. Assume a company provides a service in different countries. They want users in each country to use the local CDN only, let's assume because users have no route to other CDNs outside the country or because it's too expensive to service data from other countries. They use views in DNS, each serving a different country and the A/AAAA records returned by the authoritative server provides the correct IP address for that country. Assume that zones in these views are signed using the same KSK/ZSK. This will work fine, but an attacker who has access to country A's response may succeed in poisoning a message in country B with A's data and DNSSEC validation will not catch it. DNSSEC protects each RRset, but not the DNS message.
Such a powerful attacker can also just reroute or NAT the IP addresses of the one CDN to the other. Sure, it might be annoying to you but since it is still using DNSSEC validated data that you deem valid for some clients, it shouldn't be the end of the world either. I'm not convinced this draft is worth doing. But I don't see it causing much harm either. Paul _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
