Hi Paul On Tue, Sep 29, 2015 at 01:33:57AM -0400, Paul Wouters wrote: > On Tue, 29 Sep 2015, Mukund Sivaraman wrote: > > >On the other hand, DNSSEC requires signatures for each RRset bloating > >messages > > Just like TLS is bloating HTTP? :)
TLS and HTTP are irrelevant here, no? The bloat by RRSIGs, considering
just sizes, would be worse than that of TLS and HTTP per amount of data.
> >Anyway, I'll explain with an example why DNSSEC is not sufficient to
> >protect against DNS message modifications. Assume a company provides a
> >service in different countries. They want users in each country to use
> >the local CDN only, let's assume because users have no route to other
> >CDNs outside the country or because it's too expensive to service data
> >from other countries. They use views in DNS, each serving a different
> >country and the A/AAAA records returned by the authoritative server
> >provides the correct IP address for that country. Assume that zones in
> >these views are signed using the same KSK/ZSK.
> >
> >This will work fine, but an attacker who has access to country A's
> >response may succeed in poisoning a message in country B with A's data
> >and DNSSEC validation will not catch it. DNSSEC protects each RRset, but
> >not the DNS message.
>
> Such a powerful attacker can also just reroute or NAT the IP addresses
> of the one CDN to the other. Sure, it might be annoying to you but since
> it is still using DNSSEC validated data that you deem valid for some
> clients, it shouldn't be the end of the world either.
The example I mentioned is still the case of an off-path attacker. For
an attacker in country B, just having a shell account in country A will
be sufficient to gather signed A/AAAA records for country A.
It would be the end of the world if the poisoned address is not routable
in that location.
The point is that zone data validation doesn't automatically guarantee
that the DNS message is trustworthy.
> I'm not convinced this draft is worth doing. But I don't see it causing
> much harm either.
>
> Paul
>
Mukund
pgp5lRl7Yngio.pgp
Description: PGP signature
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
