Re: Secure DNS is just weakly secure

[Jim Reid <jim@rfc1035.com>]

On Mar 15, 2006, at 09:35, Masataka Ohta wrote:

> First, random third party hackers would rather prefer attacks on
> security holes of complex implementations of complex protocols.

AHA! So that explains why X.509 certificates, crypto hash algorithms  
and PGP are forever being compromised by random third party attackers  
while unsecured Windows desktops are ignored.

Your point about complexity being the enemy of security is well made.  
However vanilla flavour DNS is a complex protocol that's hard to  
implement, let alone interoperate with the installed base. It's  
already far beyond the point where security people would be comfortable.

> Secondly, ISPs and DNS cache services you might use may be third
> parties but not random third parties.

So what? If they can't be trusted, I take my secure DNS resolution  
business elsewhere. Economic Darwinism takes its course. Problem solved.

> As I have pointed out more than ten years ago, cache contamination of
> caching nameservers can be avoided by having tagged cache for glues
> with the information for which zone the glue is provided.

That might minimise the impact of one attack vector. However there  
are plenty of other ways of poisoning a cache. As you should know.  
These attacks are not ameliorated by tagging glue. Besides, a fix for  
cache poisoning doesn't solve the DNS security problem. It's not even  
close.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>