Matt Corallo wrote:
Both in theory and practice, DNSSEC is not secure end to end
Indeed, but (a) there's active work in the IETF to change that (DNSSEC stapling to TLS certs)
TLS? What? As was demonstrated by diginotar, PKI is NOT cryptographically secure and vulnerable to MitM attacks on intermediate intelligent entities of CAs. Note that diginotar was advertised to be operated with HSMs and four-eyes principle, which means both of them were proven to be untrustworthy marketing hypes.
and (b) that wasn't the point - the above post said "It’s not like you can really trust your packets going to B _today_ are going to and from the real B (or Bs)." which is exactly what DNSSEC protects against!
As long as root key rollover is performed in time and intermediate zones such as ccTLDs are not compromised, maybe, which is why it is not very useful or secure. The following description https://en.wikipedia.org/wiki/DigiNotar Secondly, they issued certificates for the Dutch government's PKIoverheid ("PKIgovernment") program. This issuance was via two intermediate certificates, each of which chained up to one of the two "Staat der Nederlanden" root CAs. National and local Dutch authorities and organisations offering services for the government who want to use certificates for secure internet communication can request such a certificate. Some of the most-used electronic services offered by Dutch governments used certificates from DigiNotar. Examples were the authentication infrastructure DigiD and the central car-registration organisation Netherlands Vehicle Authority [nl] (RDW). makes it clear that entities operating ccTLDs may also be compromised.
If its not useful, please describe a mechanism by which an average recursive resolver can be protected against someone hijacking C root on Hurricane Electric (which doesn't otherwise have the announcement at all, last I heard) and responding with bogus data?
As DNSSEC capable resolvers are not very secure, you don't have to make plain resolvers so secure.
For example, root key rollover is as easy/difficult as updating IP addresses for b.root-servers.net.
Then maybe read the rest of this thread, cause lots of folks pointed out issues with *just* updating the IP and not bothering to give it some time to settle :)
In this thread, I'm the first to have pointed out that old IP addresses of root servers must be reserved (for 50 years). Masataka Ohta