[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(racoon 586) Fw: bypassing authentication when using DNS(SEC)

To: racoon@kame.net
Subject: (racoon 586) Fw: bypassing authentication when using DNS(SEC)
From: itojun@itojun.org (Jun-ichiro itojun Hagino)
Date: Thu, 22 Jul 2004 13:38:04 +0900 (JST)
Delivered-to: racoon-archive@kame.net
Delivered-to: racoon-outgo@kame.net
Delivered-to: racoon@kame.net
Reply-to: racoon@kame.net
Sender: owner-racoon@kame.net

--- Begin Message ---

To: Michal Ludvig <michal@logix.cz>, itojun@kame.net

Subject: bypassing authentication when using DNS(SEC)

From: Thomas Walpuski <thomas@unproved.org>

Date: Wed, 21 Jul 2004 10:43:48 +0000

Cc: ipsec-tools-core@lists.sourceforge.net

Delivery-date: Wed Jul 21 19:39:50 2004

User-agent: Mutt/1.3.28i
Why does racoon only print an error, if it encounters invalid, i.e.
untrusted, RR? Take a look at getcertsbyname.c:

#ifdef DNSSEC_DEBUG
        if (!(rr->rri_flags & LWRDATA_VALIDATED))
                printf("rr is not valid");
#endif

A sophisticated attacker should be able to bypass the authentication [if
DNS(SEC) should be used] with some DNS spoofing.

Thomas Walpuski
--- End Message ---

Prev by Date: (racoon 585) Documentation for racoon implementation
Next by Date: (racoon 587) Fw: Re: [Ipsec-tools-core] bypassing authentication when using DNS(SEC)
Previous by thread: (racoon 589) Re: IPv6 and IPSec: No Neighbour Advertisement in SA negotiation
Next by thread: (racoon 587) Fw: Re: [Ipsec-tools-core] bypassing authentication when using DNS(SEC)
Index(es):
- Date
- Thread