On Wed, Nov 20, 2013 at 12:42:53PM -0800, Nicholas Weaver <[email protected]> wrote a message of 70 lines which said:
> http://www.wired.com/opinion/2013/11/this-is-how-the-internet-backbone-has-been-turned-into-a-weapon/ You mention DNSSEC twice, as a solution against some man-on-the-side attacks (injecting false DNS answers). The Schneier paper <https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html> about QUANTUM mentions packet injection but not the DNS. We don't know if the NSA does DNS poisoning (but we may assume they - and other actors - do it). However, if the attacker is the NSA, we have to take into account the possibility that they can sign data with the root's private key, which is under US management. Therefore, is DNSSEC still useful? May be, in these cases: * the attacker may consider that DNSSEC validation is so uncommon today that it is not worth the work to inject spoofed RRSIG * some people may have trust anchors located at lower levels (some registries do publish them for instance <http://www.afnic.fr/fr/certificats/>). Do you think it is technically sound? Many people decided not to publish these trust anchors, because of the management costs and risks, but it was before Snowden. May be we should actively recommend the publication of such "lower" trust anchors now? _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
