DNSSEC/securityについて、ここに記述してください。 こんなに勉強しなければ、心配で使えないDNSSECとはなんのため、誰のために存在するのだろう。 ---- http://www.isoc.org/isoc/conferences/ndss/10/pdf/17.pdf (論文、コピーあり) いきなり[[/9個の問題点]]がならんでいます。すごい。-- ToshinoriMaeno <> DNSSEC_Security_Evaluation_CS259.pdf (スライド、コピーあり) {{{ A Security Evaluation of DNSSEC with NSEC3. Jason Bau. Stanford University. Stanford, CA, USA jbau@stanford.edu. John Mitchell. Stanford University. Stanford, CA, USA mitchell@cs.stanford.edu. }}} abstract: {{{ Domain Name System Security Extensions (DNSSEC) with Hashed Authenticated Denial of Existence (NSEC3) is a protocol slated for adoption by important parts of the DNS hierarchy, including the root zone, as a solution to DNS security vulnerabilities such as “cache-poisoning” attacks. We study the security goals and operation of DNSSEC/NSEC3 and use Murφ, a finite-state enumera- tion tool, to analyze its security guarantees and shortcom- ings. By checking DNSSEC/NSEC3 security properties in the presence of a network attacker, we uncover several weaknesses in the DNSSEC protocol, including incorrect temporal dependencies in the DNSSEC signature attesta- tion chain and NSEC3 options that allow a forged name to be inserted into a DNSSEC domain. We demonstrate the exploitability of the NSEC3 vulnerability by a browser cookie-stealing attack on a realistic laboratory DNSSEC domain. We offer implementation and configuration advice which minimize the exploitability of the uncovered vulnera- bilities. After re-incorporating the advised repairs into the Murφ DNSSEC model, we demonstrate the updated proto- col no longer contains vulnerabilities exploitable within our threat model. }}}