IETF Logo Mail Archive

RE: How do we get the whole world to upgrade to DNSSEC capable resolvers?

Jesper G. Høy <jesper@jhsoft.com> Sun, 10 August 2008 18:09 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8C9843A6C10; Sun, 10 Aug 2008 11:09:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.405
X-Spam-Level: **
X-Spam-Status: No, score=2.405 tagged_above=-999 required=5 tests=[BAYES_50=0.001, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FuXEJ-m4bTKY; Sun, 10 Aug 2008 11:09:25 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id F169F3A68B0; Sun, 10 Aug 2008 11:09:24 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KSFFH-000Ilk-1I for namedroppers-data@psg.com; Sun, 10 Aug 2008 18:02:23 +0000
Received: from [204.9.75.100] (helo=kansas.jhsoft.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <jesper@jhsoft.com>) id 1KSFFD-000Ika-3D for namedroppers@ops.ietf.org; Sun, 10 Aug 2008 18:02:20 +0000
Received: from hemsen by kansas.jhsoft.com (MDaemon PRO v9.6.2) with ESMTP id md50000107922.msg for <namedroppers@ops.ietf.org>; Sun, 10 Aug 2008 18:02:18 +0000
From: "Jesper G. Høy" <jesper@jhsoft.com>
To: mayer@gis.net
Cc: namedroppers@ops.ietf.org
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org> <20080723183227.GA11957@outpost.ds9a.nl> <028601c8f185$eeb51b90$cc1f52b0$@com> <F64EF155F05968A001280C7B@Ximines.local> <028a01c8f18c$7f6bb620$7e432260$@com> <572015C3F44995F54736D38B@Ximines.local> <029401c8f196$c5822bd0$50868370$@com> <489F0F8E.6020607@gis.net>
In-Reply-To: <489F0F8E.6020607@gis.net>
Subject: RE: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Date: Sun, 10 Aug 2008 20:02:06 +0200
Message-ID: <021101c8fb13$34634310$9d29c930$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acj7AfORCL8Fla8BSxajfSrdKiyT2QADPx4A
Content-Language: en-us
X-Authenticated-Sender: jesper@jhsoft.com
X-MDRemoteIP: 87.56.149.202
X-Return-Path: jesper@jhsoft.com
X-Envelope-From: jesper@jhsoft.com
X-MDaemon-Deliver-To: namedroppers@ops.ietf.org
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

Danny Mayer wrote:
> > I agree - and I am not arguing against DNSSEC as a whole.
> > As I started out saying - "There may be other good reasons to push
> DNSSEC" - distributing public keys certainly may be one of those.
> > However, this was in regards to the Kaminsky bug, which is all about
> carrying IP addresses (A/AAAA RRSets in response Additional section).
> > So to clarify: DNSSEC doesn't make much difference when the bad guy
> > is on-the-wire - for IP address records.
> That's not true either way. DNSSEC will protect you from the bad guy on
> the wire.

My point was that it doesn't matter that you get the correct IP address
(signed by DNSSEC) if the bad buy is on the wire.
In that scenario he can just spoof that IP address and replace web-sites
etc. with his own data.
Only SSL can protect you here.


> But the A/AAAA records in the additional section is not the
> only part that needs protection. The authority section also needs
> protection since they contain the authorative nameserver names. By
> diverting further queries to their own nameservers they no longer need
> a cachepoisoning attack.

Right - but NS-records point to host names which point to A/AAAA records
which point to IP addresses.
Comes back to the same thing - if the bad guy is on the wire, you are still
in trouble...
DNSSEC or not.


> > Without having thought this through, I think resolvers could probably
> > ignore anything else (non A/AAAA RRSets) in the response Additional
> section - limiting the Kaminsky bug to such records. But that's a
> different thread... 
> And what about the authority section?

Se above.


> > Carrying IP addresses is still by far the biggest use of DNS.
> No it isn't. MX records are almost as big. And then there are SRV
> records.

OK - but MX-records point to host names which point to A/AAAA records which
point to IP addresses...
If the bad guy is on the wire, he can intercept and replace your SMTP
traffic anyway. 
DNSSEC or not.

SRV-records also point to host names which...


> > And I am just not convinced that it is a good idea to apply DNSSEC's
> complexity to this most fundamental part of our Internet.
> > I believe a simpler solution stands a much better chance of actually
> being implemented and used, and therefore is more secure overall.
> > Especially if such a solution does not require any end-user action
> other than patching.
> Go look at Dan Kaminsky's slides for the fuller picture

I see nothing in the slides that suggest that DNSSEC is the only true
solution or that rule out other solutions.
On the contrary it seems to me that Dan Kaminsky himself is suggesting other
solutions in his latest blog entry on the matter...


Sincerely,
Jesper



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email