Bill Stewart <bill.stewart@pobox.com> writes:
At 11:15 PM 06/28/2003 -0400, Steven M. Bellovin wrote:
In message <5.1.1.6.2.20030628124252.033e5600@idiom.com>, Bill Stewart writes:
This looks like it has the ability to work around DNSSEC. Somebody trying to verify that they'd correctly reached yahoo.com would instead verify that they'd correctly reached yahoo.com.attackersdomain.com, which can provide all the signatures it needs to make this convincing.
So if you're depending on DNSSEC to secure your IPSEC connection, do make sure your DNS server doesn't have a suffix of echelon.nsa.gov...
No, that's just not true of DNSsec. DNSsec doesn't depend on the integrity of the connection to your DNS server; rather, the RRsets are digitally signed. In other words, it works a lot like certificates, with a trust chain going back to a magic root key.
I thought about that, and I think this is an exception, because this attack tricks your machine into using the trust chain yahoo.com.attackersdomain.com., which it controls, instead of the trust chain yahoo.com., which DNSSEC protects adequately. So you're getting a trustable answer to the wrong query.
No, I believe only one of the following situations can occur: * Your laptop see and uses the name "yahoo.com", and the DNS server translate them into yahoo.com.attackersdomain.com. If your laptop knows the DNSSEC root key, the attacker cannot spoof yahoo.com since it doesn't know the yahoo.com key. This attack is essentially a man-in-the-middle attack between you and your recursive DNS server. * Your laptop see and uses the name "yahoo.com.attackersdomain.com". You may be able to verify this using your DNSSEC root key, if the attackersdomain.com people have set up DNSSEC for their spoofed entries, but unless you are using bad software or judgment, you will not confuse this for the real "yahoo.com". Of course, everything fails if you ALSO get your DNSSEC root key from the DHCP server, but in this case you shouldn't expect to be secure. I wouldn't be surprised if some people suggest pushing the DNSSEC root key via DHCP though, because alas, getting the right key into the laptop in the first place is a difficult problem.