[dns-operations] Downgrade attack readiness Re: DNSSEC issue - why?
Edward Lewis
edward.lewis at icann.org
Tue Jun 9 14:55:03 UTC 2015
On 6/9/15, 10:24, "Casey Deccio" <casey at deccio.net> wrote:
> But when you consider a downgrade attack, the attacker only needs the lowest
> hanging fruit. That means that *any* DS (regardless of DNSKEY) with the
> weaker digest type could potentially be used for falsifying a DNSKEY.
I'm just going to throw this on the mat - perhaps we've (and I mean the
loose collective of folks involved with DNSSEC over the decades) had a poor
understanding of downgrade attacks (how they happen, etc.) and have poorly
addressed them. Given that I've never seen one (downgrade attack) work (in
practice/in the field), I've never been able to reverse engineer it. Having
an academic/theoretic understanding is often times not sufficient.
Like learning to take down a spinnaker on a sailboat on a calm day in the
dock and then expecting to execute the steps heeled over in a gale. Or
learning to change a diaper on a doll and then expecting to do the same for
the first time in the back seat of a car. ;) Those are two areas where
cleanroom experience didn't translate to real world experience so much.
In general - has anyone seen an actual attack thwarted by DNSSEC? Or an
attack beat a DNSSEC defense? Not looking to justify the investment,
looking for the opportunity to reverse engineer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150609/5ce83f76/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150609/5ce83f76/attachment.bin>
More information about the dns-operations
mailing list