Re: DNSSEC for IPSEC?

[Dennis Glatting <dennisg@plaintalk.bellevue.wa.us>]

Date: Fri, 26 Jul 1996 15:08:46 EDT
From: Derek Atkins <warlord@MIT.EDU>

> > There is an issue. Storing the private key off-line is not
> > a deterrent: the mischievous person simply generates a
> > new key pair and re-signs the zone.
>
> Actually, this doesn't work.  The problem is that the
> parent zone needs to have signed the zone's key.  So, I
> couldn't go and forge a zone key for MIT.EDU, because the
> MIT.EDU key needs to be signed by the EDU key, which in turn
> needs to be signed by the root key.
>
> So, you can't forge a key without forging the whole
> hierarchy.
>

The servers that serve . also serve EDU -- the disconnect
between them is a logical one, not a physical one. A
compromise of either is a compromise of both (as well as
COM).

The EDU zone could sign a key for the MIT.EDU subzone
and return glue data that isn't addressed to MIT.EDU but
to an impostor. If the resolver knew MIT's key then the
impostor would have a problem; however, I suspect
resolvers will commonly trust the key from the
super zone. Once an impostor is introduced into the
path, duplicating a hierarchy is just work.


Detecting a compromised server is more easy if the server
applied its craft to all of its responses. However, if the
server itself (named) is replaced with one that targets
specific data, its detection will be more difficult --
and more effective.


-dpg

---

Follow-Ups:

• Re: DNSSEC for IPSEC?
• From: Derek Atkins <warlord@mit.edu>

References:

• Re: DNSSEC for IPSEC?
• From: Derek Atkins <warlord@mit.edu>

---

• Prev by Date: Re: DNSSEC for IPSEC? -- or, how to exploit DNSSEC
• Next by Date: Securing 5% of the Internet against Wiretapping by Christmas
• Prev by thread: Re: DNSSEC for IPSEC?
• Next by thread: Re: DNSSEC for IPSEC?
• Index(es):
  • Main
  • Thread