[13736] in cryptography@c2.net mail archive
Re: Attacking networks using DHCP, DNS - probably kills DNSSEC NOT
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Mon Jun 30 14:18:07 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Simon Josefsson <jas@extundo.com>
Cc: Bill Stewart <bill.stewart@pobox.com>, cryptography@metzdowd.com,
cypherpunks@lne.com
Date: Mon, 30 Jun 2003 11:19:37 -0400
From: "Steven M. Bellovin" <smb@research.att.com>
In message <ilubrwggo11.fsf_-_@latte.josefsson.org>, Simon Josefsson writes:
>Bill Stewart <bill.stewart@pobox.com> writes:
>
>>>* Your laptop see and uses the name "yahoo.com.attackersdomain.com".
>>> You may be able to verify this using your DNSSEC root key, if the
>>> attackersdomain.com people have set up DNSSEC for their spoofed
>>> entries, but unless you are using bad software or judgment, you will
>>> not confuse this for the real "yahoo.com".
>>
>> The DNS suffix business is designed so that your laptop tries
>> to use "yahoo.com.attackersdomain.com", either before "yahoo.com"
>> or after unsuccessfully trying "yahoo.com", depending on implementation.
>> It may be bad judgement, but it's designed to support intranet sites
>> for domains that want their web browsers and email to let you
>> refer to "marketing" as opposed to "marketing.webservers.example.com",
>> and Netscape-derived browsers support it as well as IE.
>
>It can be a useful feature, but it does not circumvent DNSSEC in any
>way, that I can see. DNSSEC see yahoo.com.attackersdomain.com and can
>verify that the IP addresses for that host are the one that the owner
>of the y.c.a.c domain publishes, and that is what DNSSEC delivers.
>The bad judgement I referred to was if your software, after DNSSEC
>verification, confuses yahoo.com with yahoo.com.attackersdomain.com.
>
It's also not a new problem -- see RFC 1535.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
