On Aug 25, 2008, at 4:56 PM, Masataka Ohta wrote:
> Ted Lemon wrote:
>> There are still ways to forge the contents of a DNS zone. But they
>> all involve getting access to the signing key for that zone.

> Wrong.
> A forged signature in an ancestor zone of the target zone is
> enough.
> The ancestor zone is the place upon where a trivial MitM attack
> works.

Right. If you get the signing key for .com, you can forge anything
under .com. If you get the signing key for fugue.com, you can sign
anything under fugue.com. And if you get the CA signing key one of
the major CAs, you can generate new certs for whatever bank you want
to spoof.

Right now, there simply isn't any protection against forged DNS

So DNSSEC is not a panacea, and certainly anybody who is running a
zone that acts as a trust anchor for important zones below it should
have a security policy that's appropriate for the level of trust being
invested in them.

But this has nothing to do with the human factors argument I brought
up, so I'm not sure why you mention it. I don't think there is
anybody on this mailing list at this point who does not understand how
zones are signed, or what trust anchors do.

My point about human factors is that if you can make it much harder to
forge a domain name, then this makes a lot of security downgrade
attacks based on human factors (that is, tricks) much harder to carry

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.