IETF Logo Mail Archive

RE: How do we get the whole world to upgrade to DNSSEC capable resolvers?

Jesper G. Høy <jesper@jhsoft.com> Tue, 29 July 2008 14:30 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2158E28C231; Tue, 29 Jul 2008 07:30:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.195
X-Spam-Level:
X-Spam-Status: No, score=-0.195 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n77PebL6oXei; Tue, 29 Jul 2008 07:30:02 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BC96B28C1E5; Tue, 29 Jul 2008 07:30:01 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KNq74-0006Gn-34 for namedroppers-data@psg.com; Tue, 29 Jul 2008 14:23:42 +0000
Received: from [204.9.75.100] (helo=kansas.jhsoft.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <jesper@jhsoft.com>) id 1KNq6l-0006Ed-UE for namedroppers@ops.ietf.org; Tue, 29 Jul 2008 14:23:28 +0000
Received: from hemsen by kansas.jhsoft.com (MDaemon PRO v9.6.2) with ESMTP id md50000105092.msg for <namedroppers@ops.ietf.org>; Tue, 29 Jul 2008 14:19:05 +0000
From: "Jesper G. Høy" <jesper@jhsoft.com>
To: namedroppers@ops.ietf.org
References: <48875934.8080101@links.org> <F113C53F-D189-45A0-8DC3-14725395D1BD@virtualized.org> <20080723183227.GA11957@outpost.ds9a.nl>
In-Reply-To: <20080723183227.GA11957@outpost.ds9a.nl>
Subject: RE: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Date: Tue, 29 Jul 2008 16:18:09 +0200
Message-ID: <028601c8f185$eeb51b90$cc1f52b0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acjs+O4OhwtbP2SqRkC+eycJYRWY3gEh9FJg
Content-Language: en-us
X-Authenticated-Sender: jesper@jhsoft.com
X-MDRemoteIP: 87.56.149.202
X-Return-Path: jesper@jhsoft.com
X-Envelope-From: jesper@jhsoft.com
X-MDaemon-Deliver-To: namedroppers@ops.ietf.org
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

I second Bert's view on DNSSEC, and it is for much the same reasons that we
do not have DNSSEC in Simple DNS Plus either.

There may be other good reasons to push DNSSEC, but it really is overkill
for the Kaminsky bug IMHO.

The core problem with the Kaminsky bug, and other cache poisoning scenarios,
is the short 16 bit transaction ID.
So why not simply expand this ID to a secure length?
And not just ~16 bits (random ports) or 2+ bits (x020) - but really secure
length like 128 bits.

This seems a lot easier than getting DNSSEC in place, signing the root,
getting EVERYBODY to sign their zones, repeat for rollover, etc., etc.

Some will probably argue that this doesn't help against on-the-wire-attacks.
But if the bad buy is one-the-wire, then he can replace any data at will
anyway. DNSSEC is no help here.
Of course we already have SSL to solve that problem.

So why not keep DNS simple?

Am I oversimplifying matters?

Sincerely,
Jesper


> -----Original Message-----
> From: owner-namedroppers@ops.ietf.org [mailto:owner-
> namedroppers@ops.ietf.org] On Behalf Of bert hubert
> Sent: Wednesday, July 23, 2008 8:32 PM
> To: David Conrad
> Cc: Ben Laurie; DNSEXT WG
> Subject: Re: How do we get the whole world to upgrade to DNSSEC capable
> resolvers?
> 
> On Wed, Jul 23, 2008 at 10:25:23AM -0700, David Conrad wrote:
> > Actually, I suspect not, since I would guess this event has increased
> > the number of dnscache sites out there.  And PowerDNS (also
> unaffected
> > by the vulnerability as I understand it) doesn't support DNSSEC
> > either, right?
> 
> Correct - my reasoning can be found on
> http://ds9a.nl/dnssec/index.html#id2467146
> 
> Some older stuff: http://ds9a.nl/secure-dns.html
> 
> DNS is part of the long chain from a named service to a physical
> server:
> 
> 1) ARP to find the hardware serving the router/nameserver IP
> 2) DNS to find the server IP
> 3) BGP to find the link to the destination AS
> 4) (TCP/)IP to the actual server
> 5) Content
> 
> Everybody who really cares about information security handles it in the
> application that deals with the content, and is close to the user. All
> the
> steps underneath have traditionally been plaintext, and have only been
> hardened enough to be secure enough that casual tampering is ruled out.
> 
> Because we use real crypto for our important content anyhow, crypto
> that
> does authentication, this is not a problem.
> 
> 1) ARPSEC has been proposed, but never went anywhere. Switches
> implement
> port security measures.
> 2) DNS has been hardened using random source ports
> 3) BGP has suffered the MD5 scare, and has now been hardened using TTL-
> checks to keep out
> strangers
> 4) TCP/IP has been hardened by making sure everybody uses unpredictable
> sequence numbers.
> 
> You can see where this is going.
> 
> DNSSEC would be the most complex protocol ever deployed on such a scale
> on
> the internet [1], with far reaching administrative and computational
> consequences for everybody, yet it would sit all the way down there in
> the
> stack.
> 
> I wouldn't put any faith in secure DNS alone.
> 
> So - DNS needs only to be strong enough to not be easily subverted in
> the
> process of transporting plaintext unauthenticated data. This puts an
> upper
> bound on the overhead (financial, technical and administrative) that we
> should commit to DNS security.
> 
> And I firmly believe some simple measures will bring DNS to the
> required
> level of robustness against tampering, and that these simple measures
> will
> fit in the the 'overhead budget' mentioned above. [2]
> 
> I also firmly believe DNSSEC will impose an order of magnitude more
> hassle
> than the world is willing to bear.
> 
> 	Bert
> 
> [1] The telephony world beats us hands down though. Think H.323 or SS7.
> [2] EDNS PING extra entropy, with gradual fallback to TCP to be
> introduced
> to give everybody the opportunity to deploy. Fallback to TCP in case of
> a
> single question-response {id,source-port} mismatch might even be
> enough!
> 
> --
> http://www.PowerDNS.com      Open source, database driven DNS Software
> http://netherlabs.nl              Open and Closed source services
> 
> --
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://ops.ietf.org/lists/namedroppers/>



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email