> Alex Bligh wrote:
> >> That's a big surprise, because DNSSEC is not a protection against
> >> most, if not all, of attacks, even when zone administrators are
> >> not compromised, which is as easy as compromising ISPs.

> > Specifically, DNSSEC is a protection against injection / MITM attacks.

> A man working for zone administrators can be the MITM, just as a
> man woking for ISPs can be the MITM.
> > The alternative rational argument is to say "leave DNS insecure,

> Properly implemented and operated plain DNS is secure.
> Properly implemented and operated plain DNS is just as secure
> as properly implemented and operated DNSSEC.
> Both are weakly secure.
> Of course, improperly implemented or operated DNSSEC is less secure
> than properly implemented and operated plain DNS.
> > solve it all at a higher level, for each protocol,
> > based on certificates etc., and

> PKI is weakly secure.
> You can enjoy cryptographic security only when you directly share
> secret information with your peer. Security does cost.
> Masataka Ohta

Sure humans could inject data in the pre-sign stage of any
of the parents. This in no different to the occassional
bogus NS RRsets that get added to parents today. I don't
think anyone that knows anything about security would say
that this can't happen. In fact this is the weakest part

On the other has these are rare events compared to the the
attack senarios DNSSEC is designed to protect against.
i.e. spoofed responses.

Now for most zones there are two or three parent zones
that you need to worry about. For those that I've seen
DNSSEC operational plans for I believe them to be secure
against the DNS server machines being compromised. At
worst it results in a DoS attack on the root.

I believe the root can be secured against all but compromised
personel. The root zone is small enough that all data to
be entered can be transfered by hand. There is also a small
enough number of child zones that in person transfers of DS
records will be possible and/or electronic transfers with
backup human to human verification will be possible.

For COM, COM.AU etc. we are going to have to trust that the
registration system won't be compromised. I'm not worried
about the DNS servers themselves being compromised as all
it lead to is a DoS.

AU, UK and other small TLD's are in a similar situation to
the root zone in that it could all be done by hand verification.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org

to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.