On 05/22/2014 01:47 PM, Osterweil, Eric wrote: > If I understand your point (perhaps I don't) the type of ``honest[y]'' that > you are talking about (in the Web PKI) refers to a CA vouching for a name > binding that is illegitimate. How do you imagine this is possible in DNSSEC? > I could (for example) stand up a DNSSEC signed zone for someone else's zone, > but because key verification and key learning are tied to the DNS delegation > hierarchy, no resolver would learn of my doppelgänger zone, right
if i control zone foo.bar.example, and you control my parent zone
(bar.example), you can do the following:
* make a new zone-signing key X
* stand up an "authoritative" server for the foo.bar.example zone,
signed by X, with a DNSKEY record for X.
* serve the appropriate DS record in the parent zone (bar.example) to
delegate foo.bar.example to X instead of the correct ZSK.
I'd very much like to know if you've ever done this rather than
publishing the correct DS.
DNSSEC-for-CT seems like one approach to be able to detect this kind of
misissuance.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
