Exploit for DNS Cache Poisoning - RELEASED
drc at virtualized.org
Fri Jul 25 10:06:22 CDT 2008
On Jul 24, 2008, at 6:05 PM, Valdis.Kletnieks at vt.edu wrote:
> On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:
>> On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:
>>> The problem is, once the ICANNt root is self-signed, the hope of
>>> revoking that dysfunctional mess as authority is gone.
>> As far as I'm aware, as long as the KSK isn't compromised, changing
>> the organization who holds the KSK simply means waiting until the
>> KSK rollover and have somebody else do the signing.
> That's true if the ICANN KSK is signed *by some other entity* - that
> can then force a change by signing some *other* KSK for the next
> If the ICANN key is self-signed as Tomas hypothesizes, then that
Except it doesn't work like that. As has been presented in numerous
places (RIPE, ICANN, etc.), Richard Lamb has been working with the
usual suspects (the Swedish DNSSEC mafia, NLNetLabs folks, Nominet
folks, etc.) to come up with a secure, trustable, and accountable
architecture for doing the signing. If a miracle happens and IANA
were to be allowed to sign the root and then was told to give it to
someone else, all that would need to be done would be for IANA staff
to hand over the HSM, PIN codes and cards to someone else. Of course,
part of the architecture is that there is more than one card and that
someone other than IANA would hold the second card (i.e., the same
sort of thing you see in US missle silos), but that's somewhat
irrelevant to a discussion about how the "dysfunctional mess" would
have its "authority" revoked.
I suppose one could argue that ICANN could refuse to hand over the
HSM, the PIN codes and cards, but given ICANN is a California-
incorporated company providing the IANA functions under a contract
with the US government, I somehow doubt ICANN would be in any position
to refuse. Federal Marshals can be quite persuasive I'm told.
Of course, all of this is academic since since I figure it is highly
unlikely IANA will be permitted to sign the root. If anyone, my money
is on VeriSign (you remember them...) but it may be some other Beltway
Bandit as Paul suggests.
More information about the NANOG