IETF Logo Mail Archive

Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

Brian Dickson <briand@ca.afilias.info> Fri, 08 August 2008 04:49 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F0ECA3A6C0A; Thu, 7 Aug 2008 21:49:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.6
X-Spam-Level:
X-Spam-Status: No, score=-3.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jg67rhQM-nVp; Thu, 7 Aug 2008 21:49:11 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id CD7803A65A6; Thu, 7 Aug 2008 21:49:10 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KRJpq-00055x-1P for namedroppers-data@psg.com; Fri, 08 Aug 2008 04:44:18 +0000
Received: from [207.219.45.62] (helo=vgateway.libertyrms.info) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <briand@ca.afilias.info>) id 1KRJpm-00055X-Fb for namedroppers@ops.ietf.org; Fri, 08 Aug 2008 04:44:16 +0000
Received: from briand-vpn.int.libertyrms.com ([10.1.7.90] helo=[192.168.2.87]) by vgateway.libertyrms.info with esmtp (Exim 4.22) id 1KRJpl-0006Bm-QI; Fri, 08 Aug 2008 00:44:13 -0400
Message-ID: <489BCF1D.20804@ca.afilias.info>
Date: Fri, 08 Aug 2008 00:44:13 -0400
From: Brian Dickson <briand@ca.afilias.info>
User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707)
MIME-Version: 1.0
To: Duane <duane@e164.org>
CC: Namedroppers <namedroppers@ops.ietf.org>
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
References: <200808080332.m783WaYI006465@drugs.dv.isc.org> <489BC053.5080904@e164.org>
In-Reply-To: <489BC053.5080904@e164.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-SA-Exim-Mail-From: briand@ca.afilias.info
X-SA-Exim-Scanned: No; SAEximRunCond expanded to false
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

Duane wrote:
> Mark Andrews wrote:
>
>   
>> 	Except it wouldn't solve NXDOMAIN re-writing and other
>> 	on-path attacks which modify the returned data such that
>> 	it is believed.
>>     
>
> Others have pointed out other cases where DNSSEC won't either. Reducing
> the caching time only requires changes at the resolver end, unlike
> DNSSEC which if Bert's list is accurate is quite long and involved code
> wise.
>
>   

I don't recall any specific cases being pointed out.

If you wouldn't mind, could you give some kind of reference (e.g. who, 
or what case, or ideally, a URL pointing into the archives)?

To clarify - what DNSSEC does (or at least claims to do) is make it 
possible to validate answers to queries, against a chain of trust to 
some trust anchor.

This means one of three results occurs - a valid answer is confirmed, an 
unverified answer exists due to lack of signature (where the lack of 
signature itself is able to be validated), or tampering occurs and is 
detected.

So, it won't *prevent* tampering, but does make the data itself 
tamper-evident.

Tampering is only slightly worse than a blind DoS attack, and has the 
same results in a DNSSEC-protected world. The only incremental benefit 
of hop-by-hop crypto security would be to  make the data opaque, which 
while in theory seems better, in practice is irrelevant. If you can't 
tamper with the data, it doesn't matter whether you can see it. And 
hop-by-hop data encryption is a bigger cost than validation via 
signatures, particularly in the increase in state, and in the asymmetric 
cost model. Signatures scale very well, especially in an one-to-many 
world, which DNS is.

>> > Only if the ISP's don't supply clean path.  DNSSEC allows you to
>> > detect when the path has been compromised.
>>     
>
> Only if you already know DNSSEC mechanisms exist and they haven't been
> filtered.
>   

??

You can't filter DNSSEC mechanisms without that filtration being 
detected (on a validating resolver).

This includes the ability to determine whether DNSSEC mechanisms exist.

(The above is predicated on some configured trust anchor, either a 
signed root or via locally configured trust anchors, or DLV.)

If you believe these aren't correct statements, I encourage you to 
provide something more than a mere assertion, e.g. example, reference, 
proof, counter-example, or anything else that you think will support 
your position.

BTW - critical analysis of DNSSEC and alternatives is by no means 
discouraged, and I think any time anyone brings fresh eyes to the 
problem, only good things can come of it - if polite, reasoned discourse 
is the result.

Brian

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email