IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

David Conrad <drc@virtualized.org> Fri, 25 July 2008 19:32 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C31DE3A68AC; Fri, 25 Jul 2008 12:32:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.437
X-Spam-Level:
X-Spam-Status: No, score=-4.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Do-ncPxGOFW7; Fri, 25 Jul 2008 12:32:05 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id CEDB63A67AD; Fri, 25 Jul 2008 12:32:04 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KMStl-0008eM-Lt for namedroppers-data@psg.com; Fri, 25 Jul 2008 19:24:17 +0000
Received: from [204.152.189.190] (helo=virtualized.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <drc@virtualized.org>) id 1KMSti-0008de-18 for namedroppers@ops.ietf.org; Fri, 25 Jul 2008 19:24:15 +0000
Received: from [10.0.1.199] (c-71-198-3-247.hsd1.ca.comcast.net [71.198.3.247]) by virtualized.org (Postfix) with ESMTP id AD10529FA3F; Fri, 25 Jul 2008 12:24:11 -0700 (PDT)
Cc: DNSEXT WG <namedroppers@ops.ietf.org>
Message-Id: <2B837EA4-9D88-4F65-A3D4-8B06B1391E41@virtualized.org>
From: David Conrad <drc@virtualized.org>
To: Joe Abley <jabley@ca.afilias.info>
In-Reply-To: <E7388E94-D031-4059-91F9-1596A254E21C@ca.afilias.info>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v928.1)
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Date: Fri, 25 Jul 2008 12:24:09 -0700
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org> <20080723183227.GA11957@outpost.ds9a.nl> <2FFE6519-7E9C-4DE8-AF69-697A4D875011@nominum.com> <20080723191636.GB32507@outpost.ds9a.nl> <8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@virtualized.org> <20080724060743.GA7420@outpost.ds9a.nl> <48886C4D.4020500@ca.afilias.info> <63C0FFE7-17E6-4ECE-9A12-0537FE2E3F4B@ca.afilias.info> <4888FED2.6060204@NLnetLabs.nl> <E7388E94-D031-4059-91F9-1596A254E21C@ca.afilias.info>
X-Mailer: Apple Mail (2.928.1)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

Joe,

On Jul 25, 2008, at 10:03 AM, Joe Abley wrote:
> I think that's wrong. I think that once someone is in the position  
> of being able to meddle with the query/response stream, all bets are  
> off and DNSSEC is no cure.

The whole point of DNSSEC is to allow for the validation of responses  
by a validator to ensure they haven't been mucked with in transit.   
The most that an attacker, anywhere in a properly configured DNSSEC- 
protected query/response path, can do is denial of service.

Once the response leaves the validator on its way to the application,  
either via the response to an unprotected stub resolver call over the  
network or via a intra-machine IPC, it can, of course be mucked with.   
This is why I believe that if people want to be safe, they need to run  
a validating caching server on their local machine (if the intra- 
machine IPC can be compromised, you've got bigger problems).

But maybe I'm lacking context here...

Regards,
-drc


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email