This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNSSEC trust anchors for unsigned zones
- Previous message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
- Next message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Alexander Gall
gall at switch.ch
Wed Jan 30 12:48:26 CET 2008
On Wed, 30 Jan 2008 11:00:38 +0000, Jim Reid <jim at rfc1035.com> said: > On Jan 30, 2008, at 10:34, Alexander Gall wrote: >> The current set of trust anchors distributed by RIPE NCC includes >> the domains >> >> disi.nl example.net pwei.net >> >> None of these currently have any DNSSEC resource records (i.e. they >> are insecure), which effectively brakes those zones for everybody who >> uses that particular set of trust anchors. > Doesn't everyone check any third party's trust anchors before > configuring them into their secure resolvers? Actually, I think this is an interesting but tricky question. Of course, everybody can eventually decide for themselves, which trust anchors they want to accept. However, if somebody you trust (the RIPE NCC in this case) gives you a list of domains which are supposed to be secure (which is really what this is all about), you're susceptible to a downgrade attack when you're willing to drop a trust anchor because you conclude that DNSSEC is not enabled for a zone from unsigned query responses that might all be spoofed. If you want to be really serious about this, you need to check with the distributor of the trust anchor and accept the zones to be bogus until things get fixed one way or the other. That would be pretty much what would happen if the parent zone was signed (and trusted) and had a DS record for the zone. -- Alex
- Previous message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
- Next message (by thread): [dns-wg] DNSSEC trust anchors for unsigned zones
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]