This is a discussion on Re: Opt-in - DNS ; David Blacka wrote: > > On Aug 16, 2005, at 10:24 AM, Ben Laurie wrote: > >> I've been reviewing the security considersations of http:// >> http://www.ietf.org/internet-drafts/...xt-dnssec-opt- in-07.txt. >> It seems to me that the statement: >> >> In particular, ...
David Blacka wrote:
>
> On Aug 16, 2005, at 10:24 AM, Ben Laurie wrote:
>
>> I've been reviewing the security considersations of http://
>> http://www.ietf.org/internet-drafts/...xt-dnssec-opt- in-07.txt.
>> It seems to me that the statement:
>>
>> In particular, this means that a malicious entity may be able to
>> insert or delete records with unsigned names. These records are
>> normally NS records, but this also includes signed wildcard
>> expansions (while the wildcard record itself is signed, its expanded
>> name is an unsigned name).
>>
>> This seems to me to be incorrect, since a denial of a domain must
>> include a denial for the matching wildcard. Similarly, the wildcard
>> being signed means that "insertion" isn't possible if there's a
>> wildcard present, since all records would exist anyway.
>
>
> What this is trying to say is that an attacker (presumably a MitM) can
> undetectably insert an unsigned delegation that blocks a wildcard
> expansion. And conversely, the attacker could undetectably replace a
> normal unsigned delegation with a wildcard expansion (if there was a
> wildcard present, that is).
Ah, I see.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive:
