Attacking networks using DHCP, DNS - probably kills DNSSEC NOT

[Simon Josefsson]

Bill Stewart <bill.stewart at pobox.com> writes:

>>* Your laptop see and uses the name "yahoo.com.attackersdomain.com".
>>   You may be able to verify this using your DNSSEC root key, if the
>>   attackersdomain.com people have set up DNSSEC for their spoofed
>>   entries, but unless you are using bad software or judgment, you will
>>   not confuse this for the real "yahoo.com".
>
> The DNS suffix business is designed so that your laptop tries
> to use "yahoo.com.attackersdomain.com", either before "yahoo.com"
> or after unsuccessfully trying "yahoo.com", depending on implementation.
> It may be bad judgement, but it's designed to support intranet sites
> for domains that want their web browsers and email to let you
> refer to "marketing" as opposed to "marketing.webservers.example.com",
> and Netscape-derived browsers support it as well as IE.

It can be a useful feature, but it does not circumvent DNSSEC in any
way, that I can see.  DNSSEC see yahoo.com.attackersdomain.com and can
verify that the IP addresses for that host are the one that the owner
of the y.c.a.c domain publishes, and that is what DNSSEC delivers.
The bad judgement I referred to was if your software, after DNSSEC
verification, confuses yahoo.com with yahoo.com.attackersdomain.com.

>>Of course, everything fails if you ALSO get your DNSSEC root key from
>>the DHCP server, but in this case you shouldn't expect to be secure.
>>I wouldn't be surprised if some people suggest pushing the DNSSEC root
>>key via DHCP though, because alas, getting the right key into the
>>laptop in the first place is a difficult problem.
>
> I agree with you and Steve that this would be a Really Bad Idea.
> The only way to make it secure is to use an authenticated DHCP,
> which means you have to put authentication keys in somehow,
> plus you need a reasonable response for handling authentication failures,
> which means you need a user interface as well.
> It's also the wrong scope, since the DNSSEC is global information,
> not connection-oriented information, so it's not really DHCP's job.

I think it is simpler to have the DNSSEC root key installed with the
DNSSEC software.  If someone can replace the root key in that
distribution channel, they could also modify your DNSSEC software, so
you are no worse off.