IETF Logo Mail Archive

Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

Ralf Weber <denic@eng.colt.net> Fri, 08 August 2008 07:08 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E905B3A6B0A; Fri, 8 Aug 2008 00:08:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.977
X-Spam-Level: *
X-Spam-Status: No, score=1.977 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p5qyvCXZdVH7; Fri, 8 Aug 2008 00:08:40 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BEFF93A68F4; Fri, 8 Aug 2008 00:08:40 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KRM2C-000K5m-8J for namedroppers-data@psg.com; Fri, 08 Aug 2008 07:05:12 +0000
Received: from [212.74.77.49] (helo=smtp.lon.dcn.colt.net) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <denic@eng.colt.net>) id 1KRM28-000K5O-AC for namedroppers@ops.ietf.org; Fri, 08 Aug 2008 07:05:10 +0000
Received: from [194.45.79.6] (quo.fra.ws.COLT.NET [212.74.79.242]) by smtp.lon.dcn.colt.net (Postfix) with ESMTP id C751F35833; Fri, 8 Aug 2008 09:05:05 +0200 (CEST)
Message-Id: <E3BF6308-12F6-4269-B949-2853E5E8F607@eng.colt.net>
From: Ralf Weber <denic@eng.colt.net>
To: bert hubert <bert.hubert@netherlabs.nl>, Namedroppers <namedroppers@ops.ietf.org>
In-Reply-To: <20080807134236.GA19024@outpost.ds9a.nl>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v928.1)
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
Date: Fri, 08 Aug 2008 09:05:04 +0200
References: <489AD5E3.20708@nlnetlabs.nl> <20080807134236.GA19024@outpost.ds9a.nl>
X-Mailer: Apple Mail (2.928.1)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

Moin!

On Aug 7, 2008, at 15:42 , bert hubert wrote:

> On Thu, Aug 07, 2008 at 01:00:51PM +0200, Wouter Wijngaards wrote:
>> The best solution is of course DNSSEC. Crypto signatures instead of
>> randomisation games. Enable DNSSEC validation now.
>
> Not specifically aimed at you Wouter, but it appears the most vocal  
> people
> in the DNS world are starting to suffer from "groupthink".
Ok so let me state my opinion as someone who argued against DNSSEC  
until last year hopefully does not fall into the "groupthink" theory.

The reason it changed is that we, or to be more precise a customer was  
hit by cache poisoning, and I had show up at there board and explain  
it to them.

So there question was and I raise it to the WG here:
Is there a technology that can prove that the answer I am getting from  
my DNS resolver is correct?
To my limited knowledge the only answer to the above question is:
Yes DNSSEC can do this.
But please tell me if you know another solution.

All other solutions proposed here so far only lower the chance of an  
attacker to poison the cache. But still with a 0.0001% chance the  
attacker might just have that lucky packet and poison your cache. So  
why I think it is good to do countermeasures none of them can assure  
me that I won't be hit by cache poisoning.

Also as stated elsewhere here, if someone today wanted to secure DNS  
between him and his business partners he could do it today without  
involving anyone else but him and the business partners (and this is  
happening).

Now having played around with DNSSEC for a year now I also must say  
that it does it's job, but with the current software and tools  
available it's simply not ready for widespread adoption. But this is a  
problem that can be solved, there is IMHO nothing wrong with the  
protocol, it's the tools that don't offer a user friendly way to  
deploy it.

So people should focus on getting the tools right.

So long
-Ralf
---
Ralf Weber
Platform Infrastructure Manager
Colt Telecom GmbH
Herriotstrasse 4
60528 Frankfurt
Germany
DDI: +49 (0)69 56606 2780 Internal OneDial: 8 491 2780
Fax: +49 (0)69 56606 6280
Email: Ralf.Weber@colt.net
http://www.colt.net/

Data | Voice | Managed Services

*****************************************
COLT Telecom GmbH, Herriotstraße 4, 60528 Frankfurt/Main, Deutschland *
Tel +49 (0)69 56606 0 * Fax +49 (0)69 56606 2222 *
Geschäftsführer: Albertus Marinus Oosterom (Vors.), Rita Thies *
Amtsgericht Frankfurt/Main HRB 53898 * USt.-IdNr. DE 220 772 475



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email