Exploit for DNS Cache Poisoning - RELEASED

David Conrad drc at virtualized.org
Fri Jul 25 10:06:22 CDT 2008


Valdis,

On Jul 24, 2008, at 6:05 PM, Valdis.Kletnieks at vt.edu wrote:
> On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:
>> On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:
>>> The problem is, once the ICANNt root is self-signed, the hope of  
>>> ever
>>> revoking that dysfunctional mess as authority is gone.
>
>> As far as I'm aware, as long as the KSK isn't compromised, changing
>> the organization who holds the KSK simply means waiting until the  
>> next
>> KSK rollover and have somebody else do the signing.
>
> That's true if the ICANN KSK is signed *by some other entity* - that  
> entity
> can then force a change by signing some *other* KSK for the next  
> rollover.
>
> If the ICANN key is self-signed as Tomas hypothesizes, then that  
> leverage
> evaporates.

Except it doesn't work like that.  As has been presented in numerous  
places (RIPE, ICANN, etc.), Richard Lamb has been working with the  
usual suspects (the Swedish DNSSEC mafia, NLNetLabs folks, Nominet  
folks, etc.) to come up with a secure, trustable, and accountable  
architecture for doing the signing.  If a miracle happens and IANA  
were to be allowed to sign the root and then was told to give it to  
someone else, all that would need to be done would be for IANA staff  
to hand over the HSM, PIN codes and cards to someone else.  Of course,  
part of the architecture is that there is more than one card and that  
someone other than IANA would hold the second card (i.e., the same  
sort of thing you see in US missle silos), but that's somewhat  
irrelevant to a discussion about how the "dysfunctional mess" would  
have its "authority" revoked.

I suppose one could argue that ICANN could refuse to hand over the  
HSM, the PIN codes and cards, but given ICANN is a California- 
incorporated company providing the IANA functions under a contract  
with the US government, I somehow doubt ICANN would be in any position  
to refuse.  Federal Marshals can be quite persuasive I'm told.

Of course, all of this is academic since since I figure it is highly  
unlikely IANA will be permitted to sign the root.  If anyone, my money  
is on VeriSign (you remember them...) but it may be some other Beltway  
Bandit as Paul suggests.

Regards,
-drc
  




More information about the NANOG mailing list