Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Brian Dickson <briand@ca.afilias.info> Thu, 24 July 2008 13:45 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D030A3A683C; Thu, 24 Jul 2008 06:45:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.904
X-Spam-Level:
X-Spam-Status: No, score=-2.904 tagged_above=-999 required=5 tests=[AWL=0.362, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8gzEwdmekEOE; Thu, 24 Jul 2008 06:45:29 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A95013A6A00; Thu, 24 Jul 2008 06:45:26 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KM10K-000M4g-9z for namedroppers-data@psg.com; Thu, 24 Jul 2008 13:37:12 +0000
Received: from [69.46.124.26] (helo=outbound.afilias.info) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <briand@ca.afilias.info>) id 1KM10E-000M1n-HO for namedroppers@ops.ietf.org; Thu, 24 Jul 2008 13:37:10 +0000
Received: from bmp-336-ms505.wa.yyz2.afilias-ops.info ([10.50.129.111] helo=smtp.afilias.info) by outbound.afilias.info with esmtp (Exim 4.69) (envelope-from <briand@ca.afilias.info>) id 1KLzKF-0002Y7-4A; Thu, 24 Jul 2008 11:49:39 +0000
Message-ID: <48886C4D.4020500@ca.afilias.info>
Date: Thu, 24 Jul 2008 07:49:33 -0400
From: Brian Dickson <briand@ca.afilias.info>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: bert hubert <bert.hubert@netherlabs.nl>
CC: David Conrad <drc@virtualized.org>, DNSEXT WG <namedroppers@ops.ietf.org>
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org> <20080723183227.GA11957@outpost.ds9a.nl> <2FFE6519-7E9C-4DE8-AF69-697A4D875011@nominum.com> <20080723191636.GB32507@outpost.ds9a.nl> <8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@virtualized.org> <20080724060743.GA7420@outpost.ds9a.nl>
In-Reply-To: <20080724060743.GA7420@outpost.ds9a.nl>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Authenticated: True
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
bert hubert wrote: > On Wed, Jul 23, 2008 at 02:14:10PM -0700, David Conrad wrote: > >> You are constraining the problem so the solution you prefer fits. The >> > > No, it goes beyond that. I've constrained the problem to protecting DNS > against people that do not have the ability to intercept and modify your > packets. > > This is not an arbitrary restriction. People that CAN modify your > packets in transit are a wholly different problem - they don't even need to > bother with DNS to mess with your traffic. They can do so directly. Not even > DNSSEC will stop them! > > I beg to differ. The presumption you are making is, that (a) the people modifying the DNS are the same people hijacking your traffic, and (b) that no benefit can be brought by use of DNSSEC in this scenario. Allow me to provide a concrete example, typical of an IETF attendee who knows what they are doing. Joe is attending an IETF. He stays in a hotel. He uses his laptop to access the internet via the hotel's network. The hotel outsources their network stuff to a shady operator, who likes to hijack DNS packets so as to replace ads with other ads. All DNS traffic gets directed to a caching resolver that has been hacked for just such a purpose. That hacked resolver is vulnerable to the Kaminsky attack, and is poisoned. Joe has his own local recursive resolver running on his laptop, and wants to access his bank's web site. He types in http://mybank.tld which should redirect him to https://special-thing.mybank.tld. His resolver does its thing, but before it gets very far, the DNS queries it makes get intercepted, and bad answers from the hacked box get sent back, instead sending him to https://phishing-site.tld. DNSSEC makes this impossible. Note that the ability to access packets in flight is irrelevant, so long as the proper DNS answers are served, and redirects from non-https to https get done properly. Once the https is reached, TLS/SSL protects things, but the key is reaching the right sight to start with. Without the ability to handle non-https initiation URLs safely via DNS, it's all a house of cards. Saying that not using https for everything, is blaming the victim. So, in short, DNSSEC is the only answer that gets around this very real, very well known problem. The idea of using other methods of hardening DNS resolvers is flawed, when not everyone operating a resolver is necessarily strongly incented to harden their resolver (e.g. the hotel outsourcing folks). > And this defines the natural bounding box for how secure DNS MUST be, and > with it a limit on the burden of securing it. > I disagree that your choice is natural, and I disagree that it is sufficient. Brian -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- How do we get the whole world to upgrade to DNSSE… Ben Laurie
- Re: How do we get the whole world to upgrade to D… Alex Bligh
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… Ted Lemon
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… Brian Dickson
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Jelte Jansen
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Brian Dickson
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… bert hubert
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Andrew Sullivan
- Re: How do we get the whole world to upgrade to D… Jelte Jansen
- Re: How do we get the whole world to upgrade to D… Roy Arends
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Stephane Bortzmeyer
- Re: How do we get the whole world to upgrade to D… Brian Dickson
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… Matthijs Mekking
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… bmanning
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- RE: How do we get the whole world to upgrade to D… Alex Bligh
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- RE: How do we get the whole world to upgrade to D… Alex Bligh
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- Re: How do we get the whole world to upgrade to D… Jelte Jansen
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Michael StJohns
- RE: How do we get the whole world to upgrade to D… Jesper G. Høy
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Tony Finch
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Edward Lewis
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Dean Anderson
- Re: How do we get the whole world to upgrade to D… Ray.Bellis
- Re: How do we get the whole world to upgrade to D… Joe Abley
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… bmanning
- Re: How do we get the whole world to upgrade to D… David W. Hankins
- Re: How do we get the whole world to upgrade to D… Jim Fenton
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Ted Lemon
- Re: How do we get the whole world to upgrade to D… Ted Lemon
- Re: How do we get the whole world to upgrade to D… Duane at e164 dot org
- Re: How do we get the whole world to upgrade to D… Paul Vixie
- Re: How do we get the whole world to upgrade to D… David Conrad
- Re: How do we get the whole world to upgrade to D… Alex Bligh
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Eric Rescorla
- Re: How do we get the whole world to upgrade to D… Mark Andrews
- Re: How do we get the whole world to upgrade to D… Duane at e164 dot org
- Re: Kaminsky, Cache Poisoning, and Censorship Brian Dickson
- A note of apology (Was: Kaminsky, Cache Poisoning… Andrew Sullivan
- Re: Kaminsky, Cache Poisoning, and Censorship Dean Anderson
- Kaminsky, Cache Poisoning, and Censorship Dean Anderson
- Re: A note of apology (Was: Kaminsky, Cache Poiso… Dean Anderson