IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

David Conrad <drc@virtualized.org> Wed, 23 July 2008 21:32 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 484163A6887; Wed, 23 Jul 2008 14:32:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.734
X-Spam-Level:
X-Spam-Status: No, score=-105.734 tagged_above=-999 required=5 tests=[AWL=0.865, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H9qBb8trAPrI; Wed, 23 Jul 2008 14:32:23 -0700 (PDT)
Received: from psg.com (psg.com [147.28.0.62]) by core3.amsl.com (Postfix) with ESMTP id 824B03A68DD; Wed, 23 Jul 2008 14:32:23 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KLlpI-0001Um-4T for namedroppers-data@psg.com; Wed, 23 Jul 2008 21:24:48 +0000
Received: from [204.152.189.190] (helo=virtualized.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <drc@virtualized.org>) id 1KLlpA-0001U6-4q for namedroppers@ops.ietf.org; Wed, 23 Jul 2008 21:24:42 +0000
Received: from [10.0.1.199] (c-71-198-3-247.hsd1.ca.comcast.net [71.198.3.247]) by virtualized.org (Postfix) with ESMTP id 3531529BBF9; Wed, 23 Jul 2008 14:14:16 -0700 (PDT)
Cc: DNSEXT WG <namedroppers@ops.ietf.org>
Message-Id: <8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@virtualized.org>
From: David Conrad <drc@virtualized.org>
To: bert hubert <bert.hubert@netherlabs.nl>
In-Reply-To: <20080723191636.GB32507@outpost.ds9a.nl>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v928.1)
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Date: Wed, 23 Jul 2008 14:14:10 -0700
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org> <20080723183227.GA11957@outpost.ds9a.nl> <2FFE6519-7E9C-4DE8-AF69-697A4D875011@nominum.com> <20080723191636.GB32507@outpost.ds9a.nl>
X-Mailer: Apple Mail (2.928.1)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

Bert,

On Jul 23, 2008, at 12:16 PM, bert hubert wrote:
> I dare anybody to subvert the DNS+32 bits of additional entropy  
> without
> being able to inspect and modify packets. To emulate this, run DNS  
> over TCP
> today, and see if you can spoof it.

People have spoofed TCP streams remotely in the past, but that is  
somewhat irrelevant.

You are constraining the problem so the solution you prefer fits.  The  
reality is that the problem goes beyond your constraint, even today.   
For example, ISPs inspect and modify DNS packets in ways many end  
users find objectionable and there is no way for end users to  
programmatically detect this.

XID (et al) are simply more hacks that attempt to treat symptoms,  
trying to protect the transport.  The disease is lack of an ability to  
validate the data.  DNSSEC (for all its many warts and wobbly bits)  
does actually treat the disease.

Regards,
-drc



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email