IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

Brian Dickson <briand@ca.afilias.info> Thu, 24 July 2008 13:45 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D030A3A683C; Thu, 24 Jul 2008 06:45:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.904
X-Spam-Level:
X-Spam-Status: No, score=-2.904 tagged_above=-999 required=5 tests=[AWL=0.362, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_INFO=1.448, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8gzEwdmekEOE; Thu, 24 Jul 2008 06:45:29 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A95013A6A00; Thu, 24 Jul 2008 06:45:26 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KM10K-000M4g-9z for namedroppers-data@psg.com; Thu, 24 Jul 2008 13:37:12 +0000
Received: from [69.46.124.26] (helo=outbound.afilias.info) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <briand@ca.afilias.info>) id 1KM10E-000M1n-HO for namedroppers@ops.ietf.org; Thu, 24 Jul 2008 13:37:10 +0000
Received: from bmp-336-ms505.wa.yyz2.afilias-ops.info ([10.50.129.111] helo=smtp.afilias.info) by outbound.afilias.info with esmtp (Exim 4.69) (envelope-from <briand@ca.afilias.info>) id 1KLzKF-0002Y7-4A; Thu, 24 Jul 2008 11:49:39 +0000
Message-ID: <48886C4D.4020500@ca.afilias.info>
Date: Thu, 24 Jul 2008 07:49:33 -0400
From: Brian Dickson <briand@ca.afilias.info>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: bert hubert <bert.hubert@netherlabs.nl>
CC: David Conrad <drc@virtualized.org>, DNSEXT WG <namedroppers@ops.ietf.org>
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org> <20080723183227.GA11957@outpost.ds9a.nl> <2FFE6519-7E9C-4DE8-AF69-697A4D875011@nominum.com> <20080723191636.GB32507@outpost.ds9a.nl> <8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@virtualized.org> <20080724060743.GA7420@outpost.ds9a.nl>
In-Reply-To: <20080724060743.GA7420@outpost.ds9a.nl>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Authenticated: True
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

bert hubert wrote:
> On Wed, Jul 23, 2008 at 02:14:10PM -0700, David Conrad wrote:
>   
>> You are constraining the problem so the solution you prefer fits.  The  
>>     
>
> No, it goes beyond that. I've constrained the problem to protecting DNS
> against people that do not have the ability to intercept and modify your
> packets.
>
> This is not an arbitrary restriction. People that CAN modify your
> packets in transit are a wholly different problem - they don't even need to
> bother with DNS to mess with your traffic. They can do so directly. Not even
> DNSSEC will stop them!
>
>   

I beg to differ.

The presumption you are making is, that (a) the people modifying the DNS 
are the same people hijacking
your traffic, and (b) that no benefit can be brought by use of DNSSEC in 
this scenario.

Allow me to provide a concrete example, typical of an IETF attendee who 
knows what they are doing.

Joe is attending an IETF. He stays in a hotel. He uses his laptop to 
access the internet via the hotel's network.

The hotel outsources their network stuff to a shady operator, who likes 
to hijack DNS packets so as to replace
ads with other ads.

All DNS traffic gets directed to a caching resolver that has been hacked 
for just such a purpose.
That hacked resolver is vulnerable to the Kaminsky attack, and is poisoned.

Joe has his own local recursive resolver running on his laptop, and 
wants to access his bank's web site.
He types in http://mybank.tld which should redirect him to 
https://special-thing.mybank.tld.

His resolver does its thing, but before it gets very far, the DNS 
queries it makes get intercepted, and bad
answers from the hacked box get sent back, instead sending him to 
https://phishing-site.tld.

DNSSEC makes this impossible.

Note that the ability to access packets in flight is irrelevant, so long 
as the proper DNS answers are served,
and redirects from non-https to https get done properly. Once the https 
is reached, TLS/SSL protects things,
but the key is reaching the right sight to start with.

Without the ability to handle non-https initiation URLs safely via DNS, 
it's all a house of cards.

Saying that not using https for everything, is blaming the victim.

So, in short, DNSSEC is the only answer that gets around this very real, 
very well known problem.

The idea of using other methods of hardening DNS resolvers is flawed, 
when not everyone operating
a resolver is necessarily strongly incented to harden their resolver 
(e.g. the hotel outsourcing folks).

> And this defines the natural bounding box for how secure DNS MUST be, and
> with it a limit on the burden of securing it.
>   

I disagree that your choice is natural, and I disagree that it is 
sufficient.

Brian

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email