On Tue, May 13, 2014 at 10:33 AM, Paul Wouters <[email protected]> wrote: > On Tue, 13 May 2014, Ben Laurie wrote: >> OK, good point: zone cuts need to also be verified. >> >>> The other case is injection of a custom DS RRset. How would we tell the >>> difference between the legitimate zone owner adding a DS record or an >>> attacker/parent zone owner adding one? >> >> The legitimate owner can tell - that's the point, right? > > How does that help protect a non-owner user of someone's site being > attacked with a targetted attack? If I don't run victim.com, and I am
They check that what they see appears in the issuers' logs and rely on domain owners to monitor their issuers. If at all possible TLS (and other) clients will tell their peers what STHs the saw, and the servers can check that those appear in the log). If enough domain owners do this then targeted MITM attacks get harder to pull off without being detected. This is the herd immunity theory: eventually the risk of detection is so high for would-be MITMers that they won't risk it at all (except, of course, for cases like open war, where detection is a non-issue). This seems especially likely to be the case for DNSSEC because of caching. > just a visitor of victim.com, but only I am given rogue DNSSEC records, > how can I tell something is wrong? I would go to the public log and see > the DS I received is not in there? Yes. Or that it is. If it is and your peers monitor the logs then you can at least rest easy that the likelihood of MITM issuer detection is very high. Nico -- _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
