[PCBSD-malaysia] [Owasp-Malaysia] [MySEC] Breaking DNSSEC

Amir Haris amirharis at gmail.com
Sat Apr 10 06:05:24 PDT 2010


Brian,

Yeah I'm referring most of the articles about DNSSEC in IEEE. If you say the
crypto is vulnerable and can be attack by the hackers, I think you are
wrong. The main idea of DNSSEC is to provide integrity by using public key
crypto and one way hashing (from root to bottom). If you do not know how to
manage your keys (KSK & ZSK) you might face a problem when you rollover your
keys. In RFC5011 tells you more about how to manage your key and if you
follow the guide line will be in the save side. Since DNS is very important
in the IP network and you as zone administrator you must make sure the
availability of the DNS. Other important consideration, when you are
implementing DNSSEC are key size, key roll over, HSM (key storage, you can
use softHSM), Resigning interval, algorithm (RSASHA256) and NSEC. In the
discussion about vulnerabilities when implementing DNSSEC is more on the
drawback of it e.g. increase in the file size, ENDS0, algorithm, place to
store the keys, the policies involve, the end user application and others.
We might have some classes about DNSSEC.


rgds
Amir

On Sat, Apr 10, 2010 at 8:52 PM, BRIAN RITCHIE <esqbrianritchie at gmail.com>wrote:

> Amir,
>
>   Thanks for the comments. Haven't read the doc yet but yeah any system
> with poor implementation = flawed by default. Curious what this document has
> to say
>
> -BRIAN RITCHIE
>
>
> On Sat, Apr 10, 2010 at 8:49 PM, Amir Haris Ahmad <amir at localhost.my>wrote:
>
>> Yes, with improper/poor implementation your might face the problems.
>> DNSSEC uses public key cryptography and you need to maintain it.
>> Administrating DNS is a fun stuff when you are enabling DNSSEC in your
>> production (you need to know more). Come on, you know should read these RFCs
>> 4033, 4034, 4035 and 5011. If anyone got doubt about DNSSEC, we can discuss
>> about it. Root server will enable DNSSEC in production by July this year and
>> for .my in Q4 this year. UDPPoke, Poke, Poker, TCPPoke... great.
>>
>>
>> rgds
>> Amir Haris
>>
>>   On Sat, Apr 10, 2010 at 8:03 PM, BRIAN RITCHIE <
>> esqbrianritchie at gmail.com> wrote:
>>
>>>  Thanks for this. Will check it out.
>>>
>>>  On Sat, Apr 10, 2010 at 3:00 PM, Muhammad Najmi Ahmad Zabidi <
>>> najmi.zabidi at gmail.com> wrote:
>>>
>>>> http://cr.yp.to/talks/2009.08.10/slides.pdf
>>>>
>>>> DJB, the author of Qmail
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "MySecurity" group.
>>>> To post to this group, send email to mysecurity at googlegroups.com.
>>>> To unsubscribe from this group, send email to
>>>> mysecurity+unsubscribe at googlegroups.com<mysecurity%2Bunsubscribe at googlegroups.com>
>>>> .
>>>> For more options, visit this group at
>>>> http://groups.google.com/group/mysecurity?hl=en.
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Owasp-Malaysia mailing list
>>> Owasp-Malaysia at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>
>>> OWASP Malaysia Wiki
>>> http://www.owasp.org/index.php/Malaysia
>>>
>>> OWASP Malaysia Wiki Facebook
>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>
>>
>>
> --
>  You received this message because you are subscribed to the Google Groups
> "MySecurity" group.
> To post to this group, send email to mysecurity at googlegroups.com.
> To unsubscribe from this group, send email to
> mysecurity+unsubscribe at googlegroups.com<mysecurity%2Bunsubscribe at googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/mysecurity?hl=en.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pcbsd.org/pipermail/pcbsd-malaysia/attachments/20100410/577aa935/attachment.html>


More information about the PCBSD-malaysia mailing list