Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
Mark Andrews <Mark_Andrews@isc.org> Fri, 08 August 2008 03:48 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EEE5C3A6821; Thu, 7 Aug 2008 20:48:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.479
X-Spam-Level:
X-Spam-Status: No, score=-2.479 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6Jq4IKmD+tr; Thu, 7 Aug 2008 20:48:40 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 020FB28C12D; Thu, 7 Aug 2008 20:47:44 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KRIsl-000O5h-HY for namedroppers-data@psg.com; Fri, 08 Aug 2008 03:43:15 +0000
Received: from [2001:470:1f00:820:214:22ff:fed9:fbdc] (helo=drugs.dv.isc.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <marka@isc.org>) id 1KRIsg-000O4x-RK for namedroppers@ops.ietf.org; Fri, 08 Aug 2008 03:43:13 +0000
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m783gnXT006554; Fri, 8 Aug 2008 13:42:49 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200808080342.m783gnXT006554@drugs.dv.isc.org>
To: Duane <duane@e164.org>
Cc: Paul Vixie <vixie@isc.org>, Olaf Kolkman <olaf@NLnetLabs.nl>, bert hubert <bert.hubert@netherlabs.nl>, Namedroppers <namedroppers@ops.ietf.org>
From: Mark Andrews <Mark_Andrews@isc.org>
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
In-reply-to: Your message of "Fri, 08 Aug 2008 13:05:20 +1000." <489BB7F0.4040500@e164.org>
Date: Fri, 08 Aug 2008 13:42:49 +1000
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
> Paul Vixie wrote: > > > as a possible proposed "they" in that example, i wonder what other option > > will allow arbitrary end users to be sure that an NXDOMAIN has not been > > remapped by their ISP or by their RDNS? or that a secondary name service > > provider (or a primary name service provider for that matter) hasn't added > > a wildcard to catch typo's in their customer domains and send them to an > > advertising server? in other words, what other options provide end-to-end > > data integrity for DNS? if all you've got is hop-by-hop, i'm uninterested. > > I maybe late to this party but I tried to engage you in this in previous > email correspondences, suffice to say I don't think either of us have > all the answers but dismissing alternative opinions on how this could be > solved out of hand isn't going to help either. > > > amit klein and dan kaminsky have showed us some off-path attacks, to which > > dan bernstein and amit klein and david dagon have shown us some RDNS-only > > defenses. but provider-in-the-middle and more generally man-in-the-middle > > attacks are on-path not off-path. i want protection against on-path > > attacks, as well as against all possible future off-path attacks. you're > > right that i'm dismissing proposals that do not address those requirements. > > now you know exactly why. > > You just pointed out the solution, and I'm pretty sure you or others > have mentioned this before, but as far as end to end solutions go the > only solution is to run the resolving DNS caching at the end points. I don't think anyone would disagree with you. Preferably validation should be done in the application. If that is not supported by the application then on the local machine. Validation in off machine caches is only there for the legacy machines. > While this negates some of the benefits of caching by say ISPs, it's > more than obvious the ISPs can no longer be trusted on that front in any > case and end user directly requesting to authoritative DNS servers is > the only option. Only if the ISP's don't supply clean path. DNSSEC allows you to detect when the path has been compromised. > After all, do we allow ISPs to cache SSL connections, why should DNS be > any different? > > > after watching masataka's superior approach get railroaded into a ditch > > back in 1996 or 1997 or so, i can no longer get bogged down in how ugly > > the protocol is or how ugly was the process that begat that protocol. my > > pragmatic concerns are only, is it end-to-end, and can it be made to work? > > How much enthusiasm has been garnered for DNSSEC since well ever except > by those evangelising it? > > If you can't sell it to people like me purely on its merits it's already > a forgone conclusion, I'm not trying to be facetious here or > antagonistic but pointing out a reality of the way the world is, not the > way we'd like the world to be. > > > but show me a hop-by-hop solution and i'll say "this isn't complete" and if > > it requires a replacement or upgrade of both RDNS and ADNS nodes then i'll > > say "at that price i'd prefer end-to-end data integrity, please." > > You've already outlined numerous corner cases where DNSSEC will fail in > end to end data integrity, so obviously it's not solving the issue in > all cases either. > > My hop-by-hop approach wasn't the end game, merely a stepping stone > until something better could occur at the end points, my approach is > simply trying to go the path of least resistance and work up from there. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- Re: Additional filtering of responses Tony Finch
- Additional filtering of responses Wouter Wijngaards
- OFFTOPIC: DNSSEC groupthink versus improving DNS bert hubert
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: Additional filtering of responses Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- RE: OFFTOPIC: DNSSEC groupthink versus improving … Jesper G. Høy
- Re: Additional filtering of responses Roy Arends
- Re: Additional filtering of responses Paul Vixie
- Forgery resilience idea - wildcard cooperative de… Brian Dickson
- Re: Forgery resilience idea - wildcard cooperativ… Paul Vixie
- Re: Additional filtering of responses Roy Arends
- Re: Forgery resilience idea - wildcard cooperativ… bert hubert
- Re: Forgery resilience idea - wildcard cooperativ… Brian Dickson
- Re: Additional filtering of responses Edward Lewis
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Olaf Kolkman
- Re: Additional filtering of responses Tony Finch
- Re: OFFTOPIC: DNSSEC groupthink versus improving … David Conrad
- Re: OFFTOPIC: DNSSEC groupthink versus improving … bert hubert
- Re: Additional filtering of responses Edward Lewis
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Federico Lucifredi
- Re: Additional filtering of responses Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Paul Vixie
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: Additional filtering of responses Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Brian Dickson
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Brian Dickson
- Re: Additional filtering of responses Masataka Ohta
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane
- Re: Additional filtering of responses Masataka Ohta
- Re: Additional filtering of responses Roy Arends
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ralf Weber
- Re: Additional filtering of responses Masataka Ohta
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: Additional filtering of responses Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ralf Weber
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Alex Bligh
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … sthaug
- Re: OFFTOPIC: DNSSEC groupthink versus improving … bert hubert
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Re: Additional filtering of responses Peter Koch
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Duane at e164 dot org
- Please stop this thread (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Otmar Lendl
- Re: Please stop this thread (was: OFFTOPIC: DNSSE… Matt Larson
- Re: Please stop this thread (was: OFFTOPIC: DNSSE… David Conrad
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Ben Laurie
- how many angels can dance on the head of a pin? bmanning
- Re: how many angels can dance on the head of a pi… Duane at e164 dot org
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Duane at e164 dot org
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Florian Weimer
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… sthaug
- Re: how many angels can dance on the head of a pi… Ben Laurie
- Re: how many angels can dance on the head of a pi… Alex Bligh
- Re: how many angels can dance on the head of a pi… Ben Laurie
- Re: how many angels can dance on the head of a pi… Paul Vixie
- Re: how many angels can dance on the head of a pi… Paul Hoffman
- Re: how many angels can dance on the head of a pi… bmanning
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Havard Eidnes
- Re: OFFTOPIC: DNSSEC groupthink versus improving … Mark Andrews
- DNSSEC on autopilot (was: OFFTOPIC: DNSSEC groupt… Otmar Lendl
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Otmar Lendl
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Mark Andrews
- Re: DNSSEC on autopilot (was: OFFTOPIC: DNSSEC gr… Andrew Sullivan