Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

[David Conrad <drc@virtualized.org>]

Bert,

On Aug 7, 2008, at 6:42 AM, bert hubert wrote:
> On Thu, Aug 07, 2008 at 01:00:51PM +0200, Wouter Wijngaards wrote:
>> The best solution is of course DNSSEC. Crypto signatures instead of
>> randomisation games. Enable DNSSEC validation now.
> Not specifically aimed at you Wouter, but it appears the most vocal  
> people
> in the DNS world are starting to suffer from "groupthink".

If constructive discussion is desirable, I suspect it would probably  
be best to avoid labeling.

> The reason I rant on about this is that I care deeply about DNS, and  
> that
> DNS is *currently* under attack. While DNSSEC is agressively branded  
> as a
> fine solution, at best, it will be a solution in a few years.

This isn't quite accurate.  DNSSEC is an incrementally deployable  
solution.  It can fully protect zones that take the trouble to sign  
today if caching server operators take the trouble to configure trust  
anchors for those zones.  I have some skepticism DNSSEC will be a  
fully deployed solution in the foreseeable future, however that does  
not mean that there isn't potential benefit from its use.

And I say this as someone who hates DNSSEC with the passion of a  
thousands suns of passionate hate.

> Additionally, given things I've said before, I personally don't  
> think DNSSEC
> will ever see wide usage in the real world, so I feel very strongly  
> that not
> only do we need to improve DNS in the short term, the short term  
> solution
> also needs to be the long term solution.

The short term solutions proposed to date are protecting the data  
_channel_, not the actual data itself.  Fundamentally, this is a  
flawed approach because as long as the data in the response is  
vulnerable, there will be ways to abuse it.  Perfect source port/128  
bit XQID randomization, query/response TTL windowing, whatever is  
meaningless if you have write access to the path over which the query  
or response travels.  Those hacks are treating the symptom and are a  
holding action whereas DNSSEC, like aggressive chemotherapy, treats  
the disease.  One can reasonably argue that the side effects of  
treating the disease may be worse than the disease, but my view is  
that is simply a "small matter of programming" that will be addressed  
over time.

> But no matter what I feel - please everybody take a minute to read the
> symptoms of groupthink, and wonder if we are still doing the best  
> job we can
> to improve DNS in the real world.

I will admit that this feels sort of like someone from the petroleum  
industry accusing folks at the IPCC of "groupthink".

In the end, rants on either side don't actually matter all that much.   
There is a problem for which DNSSEC is proposed as a solution.  There  
are implementations that both do and do not support DNSSEC.  There are  
costs, benefits, and risks on which individual organizations will have  
to base their decisions to deploy DNSSEC or not. As such, I can't get  
too worked up on this topic -- I suspect the market will decide.

Regards,
-drc


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>