New addresses for b.root-servers.net

• Previous message (by thread): New addresses for b.root-servers.net
• Next message (by thread): New addresses for b.root-servers.net
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Matt Corallo wrote:

>> Both in theory and practice, DNSSEC is not secure end to
>> end
> 
> Indeed, but (a) there's active work in the IETF to change that (DNSSEC 
> stapling to TLS certs)

TLS? What? As was demonstrated by diginotar, PKI is NOT
cryptographically secure and vulnerable to MitM attacks
on intermediate intelligent entities of CAs.

Note that diginotar was advertised to be operated
with HSMs and four-eyes principle, which means
both of them were proven to be untrustworthy
marketing hypes.

> and (b) that wasn't the point - the above post 
> said "It’s not like you can really trust your packets going to B _today_ 
> are going to and from the real B (or Bs)." which is exactly what DNSSEC 
> protects against!

As long as root key rollover is performed in time and
intermediate zones such as ccTLDs are not compromised,
maybe, which is why it is not very useful or secure.

The following description

	https://en.wikipedia.org/wiki/DigiNotar
	Secondly, they issued certificates for the Dutch
	government's PKIoverheid ("PKIgovernment") program.
	This issuance was via two intermediate certificates,
	each of which chained up to one of the two "Staat der
	Nederlanden" root CAs. National and local Dutch
	authorities and organisations offering services for the
	government who want to use certificates for secure internet
	communication can request such a certificate. Some of the
	most-used electronic services offered by Dutch governments
	used certificates from DigiNotar. Examples were the
	authentication infrastructure DigiD and the central
	car-registration organisation Netherlands Vehicle
	Authority [nl] (RDW).

makes it clear that entities operating ccTLDs may also
be compromised.

> If its not useful, please describe a mechanism by which an average 
> recursive resolver can be protected against someone hijacking C root on 
> Hurricane Electric (which doesn't otherwise have the announcement at 
> all, last I heard) and responding with bogus data?

As DNSSEC capable resolvers are not very secure, you don't
have to make plain resolvers so secure.

>> For example, root key rollover is as easy/difficult as
>> updating IP addresses for b.root-servers.net.
> 
> Then maybe read the rest of this thread, cause lots of folks pointed out 
> issues with *just* updating the IP and not bothering to give it some 
> time to settle :)

In this thread, I'm the first to have pointed out that old IP
addresses of root servers must be reserved (for 50 years).


						Masataka Ohta

• Previous message (by thread): New addresses for b.root-servers.net
• Next message (by thread): New addresses for b.root-servers.net
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]