nanog mailing list archives
Re: Exploit for DNS Cache Poisoning - RELEASED
From: David Conrad <drc () virtualized org>
Date: Fri, 25 Jul 2008 08:06:22 -0700
Valdis, On Jul 24, 2008, at 6:05 PM, Valdis.Kletnieks () vt edu wrote:
On Thu, 24 Jul 2008 17:43:10 PDT, David Conrad said:On Jul 24, 2008, at 4:24 PM, Tomas L. Byrnes wrote:The problem is, once the ICANNt root is self-signed, the hope of everrevoking that dysfunctional mess as authority is gone.As far as I'm aware, as long as the KSK isn't compromised, changingthe organization who holds the KSK simply means waiting until the nextKSK rollover and have somebody else do the signing.That's true if the ICANN KSK is signed *by some other entity* - that entity can then force a change by signing some *other* KSK for the next rollover.If the ICANN key is self-signed as Tomas hypothesizes, then that leverageevaporates.
Except it doesn't work like that. As has been presented in numerous places (RIPE, ICANN, etc.), Richard Lamb has been working with the usual suspects (the Swedish DNSSEC mafia, NLNetLabs folks, Nominet folks, etc.) to come up with a secure, trustable, and accountable architecture for doing the signing. If a miracle happens and IANA were to be allowed to sign the root and then was told to give it to someone else, all that would need to be done would be for IANA staff to hand over the HSM, PIN codes and cards to someone else. Of course, part of the architecture is that there is more than one card and that someone other than IANA would hold the second card (i.e., the same sort of thing you see in US missle silos), but that's somewhat irrelevant to a discussion about how the "dysfunctional mess" would have its "authority" revoked.
I suppose one could argue that ICANN could refuse to hand over the HSM, the PIN codes and cards, but given ICANN is a California- incorporated company providing the IANA functions under a contract with the US government, I somehow doubt ICANN would be in any position to refuse. Federal Marshals can be quite persuasive I'm told.
Of course, all of this is academic since since I figure it is highly unlikely IANA will be permitted to sign the root. If anyone, my money is on VeriSign (you remember them...) but it may be some other Beltway Bandit as Paul suggests.
Regards, -drc
Current thread:
- Re: Exploit for DNS Cache Poisoning - RELEASED, (continued)
- Re: Exploit for DNS Cache Poisoning - RELEASED Paul Ferguson (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Jorge Amodio (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED Steven M. Bellovin (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED Jorge Amodio (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED Paul Vixie (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED Paul Vixie (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED Eric Brunner-Williams (Jul 24)
- RE: Exploit for DNS Cache Poisoning - RELEASED Tomas L. Byrnes (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED David Conrad (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED Valdis . Kletnieks (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED David Conrad (Jul 25)
- Re: Exploit for DNS Cache Poisoning - RELEASED Alexander Harrowell (Jul 25)
- Re: Exploit for DNS Cache Poisoning - RELEASED Paul Vixie (Jul 25)
- Re: Exploit for DNS Cache Poisoning - RELEASED Pete Carah (Jul 25)
- Re: Exploit for DNS Cache Poisoning - RELEASED Graeme Fowler (Jul 25)
- Re: Exploit for DNS Cache Poisoning - RELEASED Graeme Fowler (Jul 25)
- Re: Exploit for DNS Cache Poisoning - RELEASED Jorge Amodio (Jul 24)
- Re: Exploit for DNS Cache Poisoning - RELEASED Paul Ferguson (Jul 23)
- Re: Exploit for DNS Cache Poisoning - RELEASED Florian Weimer (Jul 26)
- RE: Exploit for DNS Cache Poisoning - RELEASED Tomas L. Byrnes (Jul 25)
- Re: Exploit for DNS Cache Poisoning - RELEASED Paul Vixie (Jul 24)