IETF Logo Mail Archive

Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

Mark Andrews <Mark_Andrews@isc.org> Fri, 08 August 2008 03:48 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EEE5C3A6821; Thu, 7 Aug 2008 20:48:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.479
X-Spam-Level:
X-Spam-Status: No, score=-2.479 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6Jq4IKmD+tr; Thu, 7 Aug 2008 20:48:40 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 020FB28C12D; Thu, 7 Aug 2008 20:47:44 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KRIsl-000O5h-HY for namedroppers-data@psg.com; Fri, 08 Aug 2008 03:43:15 +0000
Received: from [2001:470:1f00:820:214:22ff:fed9:fbdc] (helo=drugs.dv.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <marka@isc.org>) id 1KRIsg-000O4x-RK for namedroppers@ops.ietf.org; Fri, 08 Aug 2008 03:43:13 +0000
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m783gnXT006554; Fri, 8 Aug 2008 13:42:49 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200808080342.m783gnXT006554@drugs.dv.isc.org>
To: Duane <duane@e164.org>
Cc: Paul Vixie <vixie@isc.org>, Olaf Kolkman <olaf@NLnetLabs.nl>, bert hubert <bert.hubert@netherlabs.nl>, Namedroppers <namedroppers@ops.ietf.org>
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
In-reply-to: Your message of "Fri, 08 Aug 2008 13:05:20 +1000." <489BB7F0.4040500@e164.org>
Date: Fri, 08 Aug 2008 13:42:49 +1000
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

> Paul Vixie wrote:
> 
> > as a possible proposed "they" in that example, i wonder what other option
> > will allow arbitrary end users to be sure that an NXDOMAIN has not been
> > remapped by their ISP or by their RDNS?  or that a secondary name service
> > provider (or a primary name service provider for that matter) hasn't added
> > a wildcard to catch typo's in their customer domains and send them to an
> > advertising server?  in other words, what other options provide end-to-end
> > data integrity for DNS?  if all you've got is hop-by-hop, i'm uninterested.
> 
> I maybe late to this party but I tried to engage you in this in previous
> email correspondences, suffice to say I don't think either of us have
> all the answers but dismissing alternative opinions on how this could be
> solved out of hand isn't going to help either.
> 
> > amit klein and dan kaminsky have showed us some off-path attacks, to which
> > dan bernstein and amit klein and david dagon have shown us some RDNS-only
> > defenses.  but provider-in-the-middle and more generally man-in-the-middle
> > attacks are on-path not off-path.  i want protection against on-path
> > attacks, as well as against all possible future off-path attacks.  you're
> > right that i'm dismissing proposals that do not address those requirements.
> > now you know exactly why.
> 
> You just pointed out the solution, and I'm pretty sure you or others
> have mentioned this before, but as far as end to end solutions go the
> only solution is to run the resolving DNS caching at the end points.

I don't think anyone would disagree with you.  Preferably validation
should be done in the application.  If that is not supported by the
application then on the local machine.

Validation in off machine caches is only there for the legacy machines.

> While this negates some of the benefits of caching by say ISPs, it's
> more than obvious the ISPs can no longer be trusted on that front in any
> case and end user directly requesting to authoritative DNS servers is
> the only option.

Only if the ISP's don't supply clean path.  DNSSEC allows you to
detect when the path has been compromised.

> After all, do we allow ISPs to cache SSL connections, why should DNS be
> any different?
> 
> > after watching masataka's superior approach get railroaded into a ditch
> > back in 1996 or 1997 or so, i can no longer get bogged down in how ugly
> > the protocol is or how ugly was the process that begat that protocol.  my
> > pragmatic concerns are only, is it end-to-end, and can it be made to work?
> 
> How much enthusiasm has been garnered for DNSSEC since well ever except
> by those evangelising it?
> 
> If you can't sell it to people like me purely on its merits it's already
> a forgone conclusion, I'm not trying to be facetious here or
> antagonistic but pointing out a reality of the way the world is, not the
> way we'd like the world to be.
> 
> > but show me a hop-by-hop solution and i'll say "this isn't complete" and if
> > it requires a replacement or upgrade of both RDNS and ADNS nodes then i'll
> > say "at that price i'd prefer end-to-end data integrity, please."
> 
> You've already outlined numerous corner cases where DNSSEC will fail in
> end to end data integrity, so obviously it's not solving the issue in
> all cases either.
> 
> My hop-by-hop approach wasn't the end game, merely a stepping stone
> until something better could occur at the end points, my approach is
> simply trying to go the path of least resistance and work up from there.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email